CY 2550 - Foundations of Cybersecurity
|Classroom:||Knowles Center 010 and Zooooom|
|Time:||Mondays and Thursdays, 11:45-1:25pm|
|Office Hours:||10:00-11:00am on Zoom, see the pinned thread on Piazza for the link|
|Teaching Assistants:||Kieran Croucher, Noelle Floyd, Byron Kress, Sarah Lackey, Nathan Pedowitz, Donald Sea, Cathleen Zhang, Riddhi Adhiya, Martin Petrauskas|
|TA Office Hours:||See the pinned TA Office Hours thread on Piazza for the latest info|
|Class Forum:||On Piazza|
Major security breaches routinely make headline news and impact the lives of millions of people. Cybercrime is a multi-million dollar, mature business. Advanced, persistent threats posed by nation-state adversaries are beginning to impact critical infrastructure, and even democratic processes themselves. As technology becomes embedded in ever more facets of our lives, society, business, and government, the need for cybersecurity experts to protect our infrastructure grows.
This course presents an overview of basic cybersecurity principles and concepts, including systems and communications security. The high-level goal is to introduce the breadth of topics in the cybersecurity space to students, and begin training them to apply these ideas through understanding of defensive mechanisms and attacker strategies.
The course will cover essential security properties like confidentiality and integrity, as well as desirable properties like least privilege and defense in depth. Concepts will be illustrated with practical tools, systems, and applications that exemplify them. Hands-on projects will introduce students to key security tools and libraries.
Readings will introduce students to the history of hacking and cybersecurity, as well as contemporary threats. Students will learn how to develop threat models that characterize attacker capabilities, goals, and the costs of different defensive strategies.
The course will also introduce students to legal, ethical, and human factors issues associated with cybersecurity.
Which Section of 2550 Is This?
There are three sections of CY 2550 in Spring 2021. This page is for two of them: CRN 35215 and CRN 35216, i.e., the ones being taught by Professor Wilson. Both sections will be covering roughly the same material, on the same schedule (roughly), using the same homeworks and projects, and sharing the same TAs.
For Professor abhi shelat's CY 2550 section (CRN 37247) see here.
CRN 35216: Boston in-person section
The in-person, Boston section of CY 2550 will be following the NUFlex online/offline hybrid teaching format to accommodate the needs of students and instructors during the ongoing COVID-19 pandemic. What this means is that the course will be run in a way that accommodates in-person, online synchronous, and online asynchronous participation.
Professor Wilson will be teaching classes in-person. These lectures will be live-streamed via Zoom to enable remote participation. If Professor Wilson cannot make an in-person class, prior notice will be posted on Piazza. Additionally, if conditions in the community become unsafe due to COVID-19, then class may be permanently moved online.
Students planning to attend lectures in-person are expected to stagger their attendance in accordance with Northeastern's dynamic scheduling policy.
CRN 35215: NUStart online course
The NUStart section of CY 2550 is a fully online course with prerecorded video lectures.
All projects and quizzes will be available online, can be completed entirely online, and will be turned in online. More details on homeworks and projects is available below. All discussion will take place via the class forum on Piazza.
Pre-recorded videos of the lecture material will be made available to all students in both sections. Live lectures will not be recorded.
Only students who have arranged an accommodation with the Disability Resource Center may use mechanical or electronic transcribing, recording, or communication devices in the classroom. Students with disabilities who believe they may need such an accommodation may contact the Disabilities Resource Center.
COVID-19 Safety and Accommodations
We expect all students to do their utmost to protect the safety of their peers and instructors during these unprecedented times. This includes abiding by all safety guidelines as stated in Northeastern's safe reopening policy.
We will be enforcing mask requirements for all students attending class in person. Course staff and instructors will all be wearing masks. Students who arrive to class without a mask will be told to leave until they can procure a mask.
We will be enforcing social distancing requirements for all students attending class in person. Students are expected to maintain a six foot distance from others. Students who violate the distancing policy will be asked to move, and if they fail to comply will be told to leave.
We realize that the ongoing pandemic makes it difficult to predict what will happen in the future, or how events may impact students' ability to attend lectures and/or turn in assignments on time. Recorded lectures will be posted online so that students who cannot attend live lectures may review them later. Students facing hardship that prevent them from completing an assignment on time should contact their professor and explain the situation. All reasonable requests will be honored.
The official prerequisite for this course is CS 2500. I expect students to be able to implement relatively straightforward programming assignments, i.e. ones that will not require hundreds of lines of complicated code. I strive to make my programming assignments as language agnostic as possible, but I will be using Python for in-class examples.
Basic knowledge of the Unix/Linux command line is essential for success in this class. We spend a week teaching these skills, and Project 0 asks students to exercise these skills. These skills include how to use SSH and SCP, write very simple shell scripts, check for running processes, kill runaway processes, create compressed archives, and edit files using emacs/vim.
Since CS 3650 (Computer Systems) and CS 3700 (Networks and Distributed Systems) are not prerequisites, you will not be expected to complete assignments that deal with assembly code, operating system internals, or low-level network protocols. If you expect to be doing binary exploitation in this class, you will be disappointed; you'll have to wait for CS 3740 (Systems Security) and CS 4740 (Network Security) for that stuff.
The class forum is on Piazza. Why Piazza? Because they have a nice web interface, as well as iPhone and Android apps. Piazza is the best place to ask questions about projects, programming, debugging issues, exams, etc. To keep things organized, please tag all posts with the appropriate hashtags, e.g. #lecture1, #project3, etc. I will also use Piazza to broadcast announcements to the class. Bottom line: unless you have a private problem, post to Piazza before writing me/the TA an email.
In this class, you will learn about security techniques and tools that can potentially be used for offensive purposes; "hacking" in other words. It is imperative that students only use these tools and techniques on systems they own (your personal computers) or systems that are sanctioned by the instructor. NEVER perform attacks against public systems that you do not control. As we will discuss in class, it is ethically problematic to attack systems that you do not own, and may violate the law.
Lecture Format and In-class Prep
This class will use a traditional, lecture-style format, punctuated with in-class examples. Slides are available in the course schedule below.
I recommend that students bring a laptop to class that has access to a local Unix/Linux-style command line. You can rely on SSH or PuTTY to get a remote command line on the Khoury College machines, but you run the risk of Wifi connection issues leaving you unable to work. macOS users should be able to use the default Mac command line and Homebrew; Windows users can install Linux in a virtual machine, or, if you have a recent version of Windows 10, you can install the Windows Subsystem for Linux (WSL) and then download a copy of Ubuntu right from the Windows Store.
Schedule and Lecture Slides
|Jan. 18-22||Intro, History||Start Ghost in the Wires|
|Jan. 25-29||Threat Modeling, Linux Basics|
|Feb. 1-5||Linux Basics, Cryptography||Proj. 1 Due Feb. 5|
|Feb. 8-12||Cryptography, Authentication and Passwords||Proj. 2 Due Feb. 12|
|Feb. 15-19||Authentication and Passwords||Proj. 3 Due Feb. 19|
|Feb. 22-26||Access Control||Finish Ghost in the Wires||Proj. 4 Due Feb. 26|
|Mar. 1-5||Social Engineering, Cyberlaw and Ethics||Proj. 5 Due Mar. 5|
|Mar. 8-12||Cyberlaw and Ethics, Systems Security||Start Countdown to Zero Day|
|Mar. 15-19||Systems Security, Exploits||Proj. 6 Due Mar. 19|
|Mar. 29-Apr. 2||Cybercrime Underground and Botnets||Proj. 7 Due Apr. 2|
|Apr. 5-9||DDoS, APT||Finish Countdown to Zero Day||Proj. 8 Due Apr. 9|
|Apr. 12-16||No lecture on April 12, Web Privacy|
|Apr. 19-23||No lecture on April 22, Web Privacy||Proj. 9 Due Apr. 23|
|Apr. 26-30||Finals Week, no lectures|
I do not require students to get textbooks. However, there are two books that will be required reading during this course:
- Ghost in the Wires: My Adventures as the World's Most Wanted Hacker by Kevin Mitnick
- Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter
There may be additional readings from online articles and academic papers. These will be made available via this webpage or the slides.
There will be nine projects throughout the semester. Assignments are due at 11:59:59pm on the specified date. You will use a turn-in script to create a compressed archive of the necessary files for the assignments, timestamp them, and submit them for grading. I highly recommend that students start assignments early!
|Assignment||Description||Due Date||Piazza Tag||% of Final Grade|
|Project 1||Linux Basics||Friday, February 5||#project1||5%|
|Project 2||Cryptography||Friday, February 12||#project2||5%|
|Project 3||Password Generation||Friday, February 19||#project3||10%|
|Project 4||Password Cracking||Friday, February 26||#project4||10%|
|Project 5||Access Control||Friday, March 5||#project5||10%|
|Project 6||Cybersecurity Ethics||Friday, March 19||#project6||5%|
|Project 7||Command Line Capture the Flag||Friday, April 2||#project7||10%|
|Project 8||Forensics||Friday, April 9||#project8||10%|
|Project 9||Web Capture the Flag||Friday, April 23||#project9||10%|
Most projects can be programmed in a language of your choice. The only universal requirement is that your projects must compile and run on an unmodified Khoury College Linux machine. Notice the stress on unmodified: if you're relying on libraries or tools that are only available in your home directory, then we will not be able to run your code and you will fail the assignment. You are welcome to develop and test code on your home machines, but in the end everything needs to work on the Khoury College Linux machines. If you have any questions about the use of particular languages or libraries, post them to Piazza.
There will not be midterms or finals in this class.
Throughout the semester, there will be five quizzes. These quizzes will be brief; they are designed to be completed in 30 minutes or less. They are not meant to cause students grief, and the questions will be straightforward. The goals of the quizzes are to incentivize attendance and encourage careful study of the lecture material.
I do not require students to attend class and I won't be taking attendance. That said, I prefer an interactive classroom, and I encourage everyone to attend, ask questions, and participate!
|Projects (9):||5%, 5%, 10%, 10%, 10%, 5%, 10%, %10, 10%|
|Quizzes (5):||5% each|
Each assignment will include a breakdown of how it will be graded. Some projects may include extra credit components that can boost your grade above the maximum score :)
To calculate final grades, I simply sum up the points obtained by each student (the points will sum up to some number x out of 100) and then use the following scale to determine the letter grade: [0-59] F, [60-62] D-, [63-66] D, [67-69] D+, [70-72] C-, [73-76] C, [77-79] C+, [80-82] B-, [83-86] B, [87-89] B+, [90-92] A-, [93-100] A. I do not curve the grades in any way. All fractions will be rounded up.
Requests for Regrading
In this class, we will use the Coaches Challenge to handle requests for regrading. Each student is allotted two (2) challenges each semester. If you want a project or a test to be regraded, you must come to the professors office hours and make a formal challenge specifying (a) the problem or problems you want to be regraded, and (b) for each of these problems, why you think the problem was misgraded. If it turns out that there has been an error in grading, the grade will be corrected, and you get to keep your challenge. However, if the original grade was correct, then you permanently lose your challenge. Once your two challenges are exhausted, you will not be able to request regrades. You may not challenge the use of slip days, or any points lost due to lateness.
Note that, in the case of projects, all group members must have an available challenge in order to contest a grade. If the challenge is successful, then all group members get to keep their challenge. However, if the challenge is unsuccessful, then all group members permanently lose one challenge.
For programming projects, we will use flexible slip days. Each student is given ten (10) slip days for the semester. You may use the slip days on any project or homework during the semester in increments of one day. For example, you can hand in one project ten days late, or one project two days late and two projects four days late. You do not need to ask permission before using slip days; simply turn in your assignment late and the grading scripts will automatically tabulate any slip days you have used.
Slip days will be deducted from each group member's remaining slip days. Keep this stipulation in mind: if one member of a group has zero slip days remaining, then that means the whole group has zero slip days remaining.
After you have used up your slip days, any project handed in late will be marked off using the following formula:
Original_Grade * (1 - ceiling(Seconds_Late / 86400) * 0.2) = Late_Grade
In other words, every day late is 20% off your grade. Being 1 second late is exactly equivalent to being 23 hours and 59 minutes late. Since you will be turning-in your code on the Khoury College machines, their clocks are the benchmark time (so beware clock skew between your desktop and Khoury College if you're thinking about turning-in work seconds before the deadline). My late policy is extremely generous, and therefor we will not be sympathetic to excuses for lateness.
It's ok to ask your peers about the concepts, algorithms, or approaches needed to do the assignments. We encourage you to do so; both giving and taking advice will help you to learn. However, what you turn in must be your own, or for projects, your group's own work. Looking at or copying code or homework solutions from other people or the Web is strictly prohibited. In particular, looking at other solutions (e.g., from other groups or students who previously took the course) is a direct violation. Projects must be entirely the work of the students turning them in, i.e. you and your group members. If you have any questions about using a particular resource, ask the course staff or post a question to the class forum.
All students are subject to the Northeastern University's Academic Integrity Policy. Per Khoury College policy, all cases of suspected plagiarism or other academic dishonesty must be referred to the Office of Student Conduct and Conflict Resolution (OSCCR). This may result is deferred suspension, suspension, or expulsion from the university.
Accommodations for Students with Disabilities
If you have a disability-related need for reasonable academic accommodations in this course and have not yet met with a Disability Specialist, please visit www.northeastern.edu/drc and follow the outlined procedure to request services. If the Disability Resource Center has formally approved you for an academic accommodation in this class, please present the instructor with your "Professor Notification Letter" at your earliest convenience, so that we can address your specific needs as early as possible.
Title IX makes it clear that violence and harassment based on sex and gender are Civil Rights offenses subject to the same kinds of accountability and the same kinds of support applied to offenses against other protected categories such as race, national origin, etc. If you or someone you know has been harassed or assaulted, you can find the appropriate resources here.