20f-2550: Introduction to Cybersecurity
Welcome to CY 2550!
This course will be delivered using the Hybrid NUflex learning modality and our course staff will be teaching remotely. We will join you virtually in the class at the scheduled class time using Zoom with some students in the classroom and others joining remotely. You will be able to ask questions, discuss, and interact with me and other students in real time. Remember that on your scheduled days in the classroom, you will need to practice healthy distancing and wear a face mask or face covering. We will also be available for virtual office hours on the days/times in the syllabus.
- You have a few actions items before class:
Instructors: Ran Cohen, abhi shelat
We meet T 11:45–1:25, R 2:50–4:30, Shillman Hall 320
We have 4 TAs for this class.
- TAs: Jack Doerner, Yash Kondi, Nathan Pedowitz, David Brainerd
- The best way to engage the course staff is via piazza and office hours.
- Tues 2–3p: Jack, online
- Wed 2–3p: Yash, online
- Wed 5–6p: Carter, online
- Thu 6–8:30p: Nathan, online
- Thu 10–11a: abhi, online & by appt
- Fri 11:30–1p: Nathan, online
- Fri 9:30–11:30: Ran, online
- Fri 2–4p: Carter, online
- Zoom links will be posted in piazza.
This is an introductory (first-year) course that presents an overview of basic cybersecurity principles and concepts. The high-level goal is to introduce main topics in security, introduce adversarial thinking mindset, threat modelling, and design of defense mechanisms.
In my own interpretation, a large part of the field is understanding different classes of failures for critical systems. I think of four categories of failures:
- Failure in operation:
- Human model of usage
- Mistake, checking in keys to github
- Failures of implementation:
- improperly handling untrusted input
- time of use and time of check
- error handling leaks implementation
- linux scheduling
- Failures of design:
- MD5, SHA1 hash function
- wifi pwd protocol
- Failures of abstraction: when the assumed abstraction does not hold, which leads to catastropic flaws in security. (These are sometimes the most interesting cases to study.)
- side-channels: power, acoustical, spectre, meltdown
- adversary is stronger than expected
- Unintended consequenses: privacy loss
As we study these failures, and hopefully understand how to design better systems, the field also considers practical defenses against unforseen attacks and adversaries:
- Defense in depth
- reducing attack surface (e.g., point-to-point instead of perimeter security)
- least privilege
- advanced cryptography
The course will also introduce students to legal and ethical issues associated with cybersecurity. The course will quickly cover most of the required background, and so we encourage wide participation.
Concepts will be illustrated with practical tools, systems, and applications that exemplify them. Hands-on projects will introduce students to key security tools and libraries.
|L2 L3||Passwords, Hashing||P0 Due 9/18|
|L4 L5||Passwords, 2FA, Distributed|
|L6 L7||Access control (ac matrix, discretionary, mandatory)||P1 Due 10/2|
|L8 L9||Crypto: PRG, Enc, MAC, PRF, PKC|
|L10 L11||Crypto, example of adversary, private key encryption||P2 Due 10/16|
|L12 L13||Auth failures & Social Engineering|
|L14 15||Cognitive bias, Anonymous data isnt!||P3 due 10/30|
|L16 L17||Voting, Cyberlaw|
|L18 L19||System security and Exploits||P4 due 11/13|
|L20 L21||System security|
|L22||Buffer exploit lab||P5 due 11/24|
|L23 L24||SQL & Web security (injection, xss, csrf)||P6 due 12/7|
|L25||Network security||P7 due 12/11|
You will learn about security techniques and tools that can potentially be used for offensive purposes; “hacking” in other words. It is imperative that students only use these tools and techniques on systems they own (your personal computers) or systems that are sanctioned by the instructor. NEVER perform attacks against public systems that you do not control. As we will discuss in class, it is ethically problematic to attack systems that you do not own, and may violate the law.
Your final grade is computed as a weighted sum of your project scores and your quiz scores.
- Projects (8): 5%, 10%, 10%, 10%, 10%, 10%, 10%, 10%
- Quizzes (10): 2.5% each
Each assignment will include a breakdown of how it will be graded. Some projects may include extra credit components that can boost your grade above the maximum score.
We assign final letter grades on a curve and are generous; we may take into account special factors like the number of late days you have used when assigning letter grades.
There will be eight projects throughout the semester. Projects must be submitted before 11:59:59pm on the specified date. You can submit as many times as you like through gitlab. Your last commit timestamp on your files will be used to determine lateness.
|Assignment||Description||Due Date||Piazza Tag||% of Final Grade|
|Project 0||Linux Basics||9/18||#project0||5%|
|Project 2||Access controls||10/16||#project2||10%|
|Project 6||Capture The Flag||12/4||#project6||10%|
If required, any programming needed for projects can be done in a language of your choice. The only universal requirement is that your projects must compile and run on an unmodified Khoury College Linux machine. Notice the stress on unmodified: if you’re relying on libraries or tools that are only available in your home directory, then we will not be able to run your code and you will fail the assignment. You are welcome to develop and test code on your home machines, but in the end everything needs to work on the Khoury College Linux machines. If you have any questions about the use of particular languages or libraries, post them to Piazza.
Throughout the semester, there will be several in-class quizzes. These quizzes will be brief; they are designed to be completed in 15 minutes or less. They are not meant to cause grief, and the questions will be straightforward. The goals of the quizzes are to encourage careful study of the lecture material.
This class has a very generous late policy. If the grading for your project is automated by script (i.e., it uses the gradescope autograder), then the deadlines are merely suggestions. You can turn them in whenever you like before the solution sets are handed out. The solutions will generally be posted within 7–10 days after the due date. Morevoer, the course staff may not be able to help you on older assignments. Thus, we encourage you to stay up to date with the course. The number of late days could effect your final letter grade, especially if you are on the border between two letter grades.
On the other hand, for the projects which are written and hand-graded, the deadlines are very firm and there will be no lateness accepted. This is because our staff needs to quickly grade and return these assignments, and late submissions will not allow us to finish in fair and timely manner.
This policy is easy for you and easy for the course staff. It is your responsibility to keep up with the course work.
If you happen to test COVID-positive, you will have an automatic extension until you recover.
Collaborating with other students in the class on homework problems is encouraged, though we urge you to first attempt working out all of the problems by yourself. It’s ok to ask your peers about the concepts, algorithms, or approaches needed to do the assignments. We encourage you to do so; both giving and taking advice will help you to learn.
However, you must write up, prepare, submit your solutions, in your own words. Looking at or copying code or homework solutions from other people or the Web is strictly prohibited. In particular, looking at other solutions (e.g., from other groups or students who previously took the course) is a direct violation. Projects must be entirely the work of the students turning them in, i.e. you and your group members. If you have any questions about using a particular resource, ask the course staff or post a question to the class forum.
All students are subject to the Northeastern University’s Academic Integrity Policy. Per Khoury College policy, all cases of suspected plagiarism or other academic dishonesty must be referred to the Office of Student Conduct and Conflict Resolution (OSCCR). This may result is deferred suspension, suspension, or expulsion from the university.
If you violate this policy, you receive a 0. There will be very little leeway on enforcement of this policy.
You do not need a textbook for this course.