21s-2550: Introduction to Cybersecurity

Welcome to CY 2550 Spring 2021!

This section of the course will be delivered using the Hybrid NUflex learning modality in order to accommodate in-person, online synchronous, and online asynchronous participation. I will be teaching classes in-person, and these lectures will be live-streamed via Zoom to enable remote participation and recorded for offline viewing. If I cannot make an in-person class, prior notice will be posted on Piazza. If conditions in the community become unsafe due to COVID-19, then class may be permanently moved online.

Students planning to attend lectures in-person are expected to stagger their attendance in accordance with Northeastern’s dynamic scheduling policy. All students in class are expected to wear masks and socially distance themselves.

First steps

  • You have a few actions items before class:
    1. Enroll in the course Piazza to get answers to your questions. Note: make sure you are in my section’s Piazza.
    2. Enroll in gradescope using the registration code from Canvas or the first day of class.

Course Basics

  • Instructors: abhi shelat, Christo is running another section of the same course

  • TF 9:50–11:30am, SH 305

  • We have

    • TAs: Kieran Croucher, Noelle Floyd, Byron Kress, Sarah Lackey, Nathan Pedowitz, Donald Sea, Riddhi Adhiya, Martin Petrauskas
    • The best way to engage the course staff is via piazza and office hours.
  • Office hours:

    • Zoom links will be posted in Canvas and piazza.

Goals

This is an introductory (first-year) course that presents an overview of basic cybersecurity principles and concepts. The high-level goal is to introduce main topics in security, introduce adversarial thinking mindset, threat modelling, and design of defense mechanisms.

In my own interpretation, a large part of the field is understanding different classes of failures for critical systems. I think of four categories of failures:

  • Failure in operation:
    • Human model of usage
    • Mistake, checking in secret keys to github
  • Failures of implementation:
    • improperly handling untrusted input
    • time of use and time of check
    • error handling leaks implementation
    • linux scheduling
  • Failures of design:
    • MD5, SHA1 hash function
    • wifi pwd protocol
  • Failures of abstraction: when the assumed abstraction does not hold, which leads to catastropic flaws in security. (These are sometimes the most interesting cases to study.)
    • side-channels: power, acoustical, spectre, meltdown
    • adversary is stronger than expected
    • Unintended consequenses: privacy loss

As we study these failures, and hopefully understand how to design better systems, the field also considers practical defenses against unforseen attacks and adversaries:

  • Defense in depth
  • reducing attack surface (e.g., point-to-point instead of perimeter security)
  • least privilege
  • advanced cryptography

The course will also introduce students to legal and ethical issues associated with cybersecurity. The course will quickly cover most of the required background, and so we encourage wide participation.

Concepts will be illustrated with practical tools, systems, and applications that exemplify them. Hands-on projects will introduce students to key security tools and libraries.

Course Schedule

Lecture Topic Due
L1 L2 Intro, Linux
L3 L4 Passwords, 2FA, biometrics P0
L5 L6 2FA, Distributed Password Models, Access control
L7 L8 Access control (capabilities, mandatory), Crypto P1
L9 L10 Crypto: PRG, Enc, MAC, PRF, PKC
L11 L12 Signatures, Social Engineering P2
L13 L14 Cognitive bias, Anonymous data isnt!
L15 L16 System security and Exploits P3
L17 L18 Buffer exploits lab
L19 L20 Buffer Exploits lab, SQL P4
L21 L22 SQL & Web security (injection, xss, csrf) P5
L23 L24 IOT Security & Web security
L25 L26 Network security & Wireless networking P6
L27 Wireless & Review P7, P8
Extra Extra topics for the curious that we couldn’t cover

Ethics

You will learn about security techniques and tools that can potentially be used for offensive purposes; “hacking” in other words. It is imperative that students only use these tools and techniques on systems they own (your personal computers) or systems that are sanctioned by the instructor. NEVER perform attacks against public systems that you do not control. As we will discuss in class, it is ethically problematic to attack systems that you do not own, and may violate the law.

Grading

Your final grade is computed as a weighted sum of your project scores and your quiz scores.

  • Projects (8): 5%, 10%, 10%, 10%, 10%, 10%, 10%, 10%
  • Quizzes (10): 2.5% each

Each assignment will include a breakdown of how it will be graded. Some projects may include extra credit components that can boost your grade above the maximum score.

We assign final letter grades on a standard curve with roughly half the grades in the A/A- category; we may take into account special factors like the number of late days you have used when assigning letter grades.

Projects

There will be eight projects throughout the semester. Projects must be submitted before 11:59:59pm on the specified date. You can submit as many times as you like through gitlab.
Your last commit timestamp on your files will be used to determine lateness.

Assignment Description Due Date Piazza Tag % of Final Grade
Project 0 Linux Basics 1/29 #project0 5%
Project 1 Passwords 2/12 #project1 10%
Project 2 Access controls 2/26 #project2 10%
Project 3 Cryptography 3/12 #project3 10%
Project 4 De-anonymization 3/26 #project4 10%
Project 5 Forensics 4/2 #project5 10%
Project 6 Capture The Flag 4/16 #project6 10%
Project 7 Web Capture the Flag 4/23 #project7 10%
Project 8 Bonus 4/23 #project8 0%

If required, any programming needed for projects can be done in a language of your choice. The only universal requirement is that your projects must compile and run on an unmodified Khoury College Linux machine. Notice the stress on unmodified: if you’re relying on libraries or tools that are only available in your home directory, then we will not be able to run your code and you will fail the assignment. You are welcome to develop and test code on your home machines, but in the end everything needs to work on the Khoury College Linux machines. If you have any questions about the use of particular languages or libraries, post them to Piazza.

Quizzes

Throughout the semester, there will be several in-class quizzes. These quizzes will be brief; they are designed to be completed in 15 minutes or less. They are not meant to cause grief, and the questions will be straightforward. The goals of the quizzes are to encourage careful study of the lecture material.

Quizes will be posted and answered through Gradescope; you will have roughly 1 day after the time a quiz is announced to submit your answer. If you take this course asynchronously, it is your responsibility to ensure that you submit these quizzes on time.

Late Policy

This class has a generous late policy. If the grading for your project is automated by script (i.e., it uses the gradescope autograder), then the deadlines have some flexibility. Within 3-7 days after the posted deadline, we will turn off the grader and post the grades to canvas, after which you will not be able to submit. We do not know exactly when we will cut off the grader, so your best strategy is to aim to finish all projects by the posted deadlines to guarantee you get credit.

This added flexibility will help everyone during a stressful and odd year; however, do not become too reliant on these automatic extensions. Extensions beyond this policy will not be given unless you have health issues. Do your best to satisfy the posted deadlines. The course staff may not be able to help you on older assignments. Thus, we encourage you to stay up to date with the course. The number of late days you use could effect your final letter grade, especially if you are on the border between two letter grades.

On the other hand, for the projects which are written and hand-graded, the deadlines are very firm and there will be no lateness accepted. This is because our staff needs to quickly grade and return these assignments, and late submissions will not allow us to finish in fair and timely manner.

This policy is easy for you and easy for the course staff. It is your responsibility to keep up with the course work. If you happen to test COVID-positive, you will have an automatic extension until you recover.

Cheating Policy

  1. Collaborating with other students in the class on homework problems is encouraged, though we urge you to first attempt working out all of the problems by yourself. It’s ok to ask your peers about the concepts, algorithms, or approaches needed to do the assignments. We encourage you to do so; both giving and taking advice will help you to learn.

  2. However, you must write up, prepare, submit your solutions, in your own words. Looking at or copying code or homework solutions from other people or the Web is strictly prohibited. In particular, looking at other solutions (e.g., from other groups or students who previously took the course) is a direct violation. Projects must be entirely the work of the students turning them in, i.e. you and your group members. If you have any questions about using a particular resource, ask the course staff or post a question to the class forum.

Example: If you have copied and pasted any text from someone else, you have violated this policy even if the two of you were working together on an assignment. Type your own keystrokes that lead you to a solution; do not copy commands that you do not understand or that you were given to you by someone else.

  1. All students are subject to the Northeastern University’s Academic Integrity Policy. Per Khoury College policy, all cases of suspected plagiarism or other academic dishonesty must be referred to the Office of Student Conduct and Conflict Resolution (OSCCR). This may result is deferred suspension, suspension, or expulsion from the university.

  2. If you violate this policy, you receive a 0. There will be very little leeway on enforcement of this policy.

Textbook

You do not need a textbook for this course. I am not aware of a great textbook on cybersecurity that aligns with my approach to the topic. However, there are many online resources that cover the topics of this course.
Here is a free online textbook on security that might help you; you will have to find the relevant topics that correspond to class.