CY 2550 - Foundations of Cybersecurity
Course Syllabus
Course Description
Major security breaches routinely make headline news and impact the lives of millions of people. Cybercrime is a multi-million dollar, mature business. Advanced, persistent threats posed by nation-state adversaries are beginning to impact critical infrastructure, and even democratic processes themselves. As technology becomes embedded in ever more facets of our lives, society, business, and government, the need for cybersecurity experts to protect our infrastructure grows.
This course presents an overview of basic cybersecurity principles and concepts, including systems and communications security. The high-level goal is to introduce the breadth of topics in the cybersecurity space to students and begin training them to apply these ideas through an understanding of defensive mechanisms and attacker strategies.
The course will cover essential security properties like confidentiality and integrity, as well as desirable properties like least privilege and defense in depth. Concepts will be illustrated with practical tools, systems, and applications that exemplify them. Hands-on projects will introduce students to key security tools and libraries.
Course Objectives
- Provide a solid understanding of the core cybersecurity principles and concepts, including systems and communication security.
- Introduce the breadth of topics in the cybersecurity space.
- Provide hands-on experience in achieving essential security properties like confidentiality and integrity, as well as desirable properties like least privilege and defense in depth.
Attendance, Lecture Format, and In-class Prep
While attendance is not mandatory, it is strongly encouraged to attend class. Quizzes and homework assignments will be based on the material learned in class, and with quizzes being more of the ‘pop’ variety, one does not want to potentially lose out on points. It is also important to note, some of the homework and projects require classmate communication, so knowing other students can make some projects easier. Wellness days can be used whenever a student prefers.
This class will use a traditional, lecture-style format, punctuated with in-class examples. Slides are available in the course schedule below.
I recommend that students bring a laptop to class that has access to a local Unix/Linux-style command line. You can rely on SSH or PuTTY to get a remote command line on the Khoury College machines, but you run the risk of Wifi connection issues leaving you unable to work. macOS users should be able to use the default Mac command line and Homebrew; Windows users can install Linux in a virtual machine, or, if you have a recent version of Windows 10, you can install the Windows Subsystem for Linux (WSL) and then download a copy of Ubuntu right from the Windows Store.
Ethics
In this class, you will learn about security techniques and tools that can potentially be used for offensive purposes; "hacking" in other words. It is imperative that students only use these tools and techniques on systems they own (your personal computers) or systems that are sanctioned by the instructor. NEVER perform attacks against public systems that you do not control. As we will discuss in class, it is ethically problematic to attack systems that you do not own and may violate the law.
Disclaimer
This course is about the legal implications of certain behavior related to the use of information technologies and activities in cyberspace. Every effort will be made to provide accurate and complete information. Please note, however, that at no time during this course will legal advice be offered. Any student or attendee needing legal advice should seek the services of a lawyer authorized to practice in the appropriate jurisdiction.
Course Material
I do not require students to get textbooks. However, there is one that will be required reading during this course:
- Ghost in the Wires: My Adventures as the World's Most Wanted Hacker by Kevin Mitnick
Recommended Reading (Not Required):
- Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter
- Privacy’s Blueprint: The Battle to Control the Design of New Technologies by Woodrow Hartzog
- The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats by Richard A. Clarke and Robert K. Knake
Course Schedule
** Potentially Subject to Change Based On Exterior Factors **
Week Number | Topic |
Week 1 | Course Introduction, History of Cybersecurity |
Week 2 | Threat Modeling |
Week 3 | Cryptography |
Week 4 | Cryptography, Authentication & Passwords |
Week 5 | Access Control |
Week 6 | Social Engineering, Cyberlaw, and Ethics |
Week 7 | Cyberlaw and Ethics, Systems Security |
Week 8 | Systems Security, Exploits |
Week 9 | Spring Break |
Week 10 | Exploits |
Week 11 | Cybercrime Underground and Botnets |
Week 12 | DDoS, APT |
Week 13 | Web Privacy |
Week 14 | Moving Forward in Cybersecurity |
Week 15 | No Lecture, Final Class |
Week 16 | FINAL EXAM WEEK |
Grading
The overall course grade will be established as follows*:
* The professor holds the right to adjust/alter the grading if necessary.
Projects (54% of Total Grade)
There will be seven (7) projects throughout the semester. Projects are due at 11:59:59pm on the specified date. You will use a turn-in script to create a compressed archive of the necessary files for the assignments, timestamp them, and submit them for grading. I highly recommend that students start assignments early!
* Dates, while mostly set in stone, have the potential to be extended under certain circumstances.
Quizzes (2% each, 16% of Total Grade)
Throughout the semester, there will be eight (8) quizzes. These quizzes will be brief; they are designed to be completed in 30 minutes or (probably) less. They are not meant to cause students grief. The goals of the quizzes are to incentivize attendance and encourage the careful study of the lecture material. If a student misses a class due to a Wellness Day, that quiz can be made up during an office hour or through communication with the professor.
Homework Assignments (5% each, 15% of Total Grade)
There will be three (3) homework assignments during the semester. These assignments will have a range of questions that are meant to challenge the students from what they learn in class. They will also think beyond the material to provide their own opinions while answering questions in the homework. Homework assignments will be a variety of short answer and open-response questions. Unless specified, homework assignments are to be done alone.
Participation (5% of Total Grade)
I do not require students to attend class, and we won’t be taking attendance. If you need to miss class for any reason, you don’t need to tell us beforehand. That said, we like teaching and interacting with students, so please attend class and speak up. We welcome questions and discussion! Note that your participation grade will be based not only on your participation in class but also on the Piazza forum; please feel free to engage with other students there (but do not simply give out answers to the questions, of course).
Final Paper (10% of Total Grade)
The final paper is designed for students to apply what they learn in the class to a real-world example. As this paper substitutes the final exam, it is expected that students will pull the knowledge they have accumulated from the lectures, homework, and projects to look at a real cybersecurity event. It also serves as an opportunity to conduct individual research as well as explore some of the more interesting cybersecurity issues with greater depth than is offered in the class. This assignment will be completed as an individual and will be due on Friday, April 21st at 9:00 PM EST. There will be plenty of time to complete this assignment so slip days will not apply, only extreme circumstances will allow for an extension on a case-by-case basis.
Extra Credit
There is no guaranteed extra credit in this course. The best way to get a good grade in this course is to understand the material and dedicate sufficient time to the projects and homework. By week 10, there may be an option to pick up extra points. If there is an added extra credit option it will strictly be individual work, no teams.
Lack of Exams
Why no exams? My personal approach to education is that many exams don’t test for knowledge, they test for memorization. I would rather assign homework and projects that are more thought-provoking and allow students to answer questions that may be more than cut-and-dry answers. The benefits of test-taking will be on a smaller scale with quizzes.
Classroom Environment
To create and preserve a classroom atmosphere that optimizes teaching and learning, all participants share responsibility for creating a civil and non-disruptive forum for the discussion of ideas. Students are expected to conduct themselves at all times in a manner that does not disrupt teaching or learning. Your comments to others should be constructive and free from harassing statements. You are encouraged to disagree with other students and the instructor, but such disagreements need to be respectful and be based on facts and documentation (rather than prejudices and personalities). The instructor reserves the right to interrupt conversations that deviate from these expectations. Repeated unprofessional or disrespectful conduct may result in a lower grade or more severe consequences. Part of the learning process in this course is a respectful engagement of ideas with others.
Letter Grades
I do not curve the grades. All fractions will be rounded up.
Request for Regrading
In this class, we will use the Coaches Challenge to handle requests for regrading. Each student is allotted two (2) challenges each semester. If you want a project, quiz, or homework to be regraded, you must come to the professors' office hours and make a formal challenge specifying (a) the problem or problems you want to be regraded, and (b) for each of these problems, why you think the problem was misgraded. If it turns out that there has been an error in grading, the grade will be corrected, and you get to keep your challenge. However, if the original grade was correct, then you permanently lose your challenge. Once your two challenges are exhausted, you will not be able to request regrades. You may not challenge the use of slip days or any points lost due to lateness. Note that, in the case of projects, all group members must have an available challenge in order to contest a grade. If the challenge is successful, then all group members get to keep their challenge. However, if the challenge is unsuccessful, then all group members permanently lose one challenge.
Late Policy
For programming projects and homework, we will use flexible slip days. Each student is given ten (10) slip days for the semester. You may use the slip days on any project or homework during the semester in increments of one day. For example, you can hand in one project ten days late, or one project two days late, and two projects four days late. You do not need to ask permission before using slip days; simply turn in your assignment late and the grading scripts will automatically tabulate any slip days you have used.
Slip days will be deducted from each group member's remaining slip days. Keep this stipulation in mind: if one member of a group has zero slip days remaining, then that means the whole group has zero slip days remaining.
After you have used up your slip days, any project handed in late will be marked off using the following formula:
Original_Grade * (1 - ceiling(Seconds_Late / 86400) * 0.2) = Late_GradeIn other words, every day late is 20% off your grade. Being 1 second late is exactly equivalent to being 23 hours and 59 minutes late. Since you will be turning in your assignments on Gradescope, their clocks are the benchmark time (so beware clock skew between your desktop and Khoury College if you're thinking about turning in work seconds before the deadline). My late policy is extremely generous, and therefore we will not be sympathetic to excuses for lateness.
Cheating Policy
It's ok to ask your peers about the concepts, algorithms, or approaches needed to do the assignments. We encourage you to do so; both giving and taking advice will help you to learn. However, what you turn in must be your own, or for projects, your group's own work. Looking at or copying code or homework solutions from other people or the Web is strictly prohibited. In particular, looking at other solutions (e.g., from other groups or students who previously took the course) is a direct violation. Projects must be entirely the work of the students turning them in, i.e. you and your group members. If you have any questions about using a particular resource, ask the course staff or post a question to the class forum.
All students are subject to Northeastern University's Academic Integrity Policy. Per Khoury College policy, all cases of suspected plagiarism or other academic dishonesty must be referred to the Office of Student Conduct and Conflict Resolution (OSCCR). This may result in deferred suspension, suspension, or expulsion from the university.
Student Accommodations
Northeastern University and the Disability Resource Center (DRC) are committed to providing disability services that enable students who qualify under Section 504 of the Rehabilitation Act and the Americans with Disabilities Act Amendments Act (ADAAA) to participate fully in the activities of the university. To receive accommodations through the DRC, students must provide appropriate documentation that demonstrates a current substantially limiting disability.
For more information, visit http://www.northeastern.edu/drc/getting-started-with-the-drc/.
Diversity and Inclusion
Northeastern University is committed to equal opportunity, affirmative action, diversity, and social justice while building a climate of inclusion on and beyond campus. In the classroom, members of the University community work to cultivate an inclusive environment that denounces discrimination through innovation, collaboration, and an awareness of global perspectives on social justice.
Please visit http://www.northeastern.edu/oidi/ for complete information on Diversity and Inclusion.
Title IX
Title IX makes it clear that violence and harassment based on sex and gender are Civil Rights offenses subject to the same kinds of accountability and the same kinds of support applied to offenses against other protected categories such as race, national origin, etc. If you or someone you know has been harassed or assaulted, you can find the appropriate resources here.