CS306: Introduction to IT Security Fall 2020
Lecture 1: Introduction
Instructor: Nikos Triandopoulos September 1, 2020
Today
u Course logistics
u Introduction to the field of IT security
u in-class discussion with a real-world example
2
3
1.1 Course logistics
CS306: Topic of study
“Introduction to IT Security”
u “IT” = Information Technology
u the study or use of information systems (especially computers, the Internet and telecommunications) for storing, retrieving, and sending information
u “IT security” = “computer security” = “cyber security”
u the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide
u “Introduction to IT Security”
u introductory course, broad topics w/ focus on basic tools & applications
4
CS306: Who can take it
u Undergraduate course
u Prerequisite course is CS135 or MA134 (i.e., discrete math)
u Required course for Cyber-security & Computer Science concentrations
u in study plans of CyS sophomores & CS seniors u Full-credit course (w/ grade)
PLEASE contact me any of the above does not apply to you
5
CS306: Lectures & labs
CS306 is offered in 2 required sessions, each offered in multiple sections u lectures
u CS306-A
u CS306-B u labs
u CS306-Lx
Tue 2:00pm – 4:30pm Online 67 / 69 Tue 6:30pm – 9:00pm Online 63 / 69
Thursdays
x
A
B
C
D
E
F
time
8 – 8:50
9:30 – 10:20
11:00 – 11:50
12:30 – 13:20
2:00 – 2:50
3:30 – 4:20
enrollment
1
18
29
29
29
24
PLEASE contact me if you have not enrolled to any lab section
6
CS306: Lectures & labs (continued)
u Lecture/lab sections will cover the same materials
u Changes in lecture or lab sections
u allowed (if need be) but generally discouraged (for planning purposes)
u In any case, if a section change is necessary
u students must let the TAs or instructor know well in advance
7
Disclaimer on lecture format
u Lectures take place in 2.5h slots
u CS306-A Tue 2:00pm – 4:30pm Online 67 / 69 u CS306-B Tue 6:30pm – 9:00pm Online 63 / 69
u Highly problematic & undesirable for both students & instructor u Unfortunately unavoidable due to existing scheduling restrictions
u namely, finding two time slots that allow both CyS sophomores and CS seniors to enroll, without conflicting with other required CS courses, is nearly impossible
u let alone satisfying other Institute–wide policies and finding high-capacity rooms
Please provide suggestions on what can make class experience better despite 2.5h lectures
8
CS306: Staff
u Instructor
u Nikos Triandopoulos, ntriando@stevens.edu
u course organization / management, lectures, assignments, grades, …
u all mistakes will be also mineJ
u office hours: Tuesdays 1 – 2pm or by appointment u office location: GS 428 – not available in Fall 2020 u virtual office hours: Zoom ID 91463728672
u Teaching assistants
u assistance w/ labs, assignments, “help sessions” as needed, some grading, demos u TAs & office hours: TBA
9
CS306: Course organization – what is offered
u Weekly lectures
u materials covered via presentations, demos and whiteboard or in-class discussions u two ~10 min breaks (on the 50min marks in the lecture)
u Weekly labs
u guided recitation of basic concepts, discussions, preparation of homework sets
u 3 – 4 homework sets
u revision and application of covered materials
u TA hours
u Office hours by instructor
10
CS306: Learning materials
u Lectures
u lecture notes: slides in pdf available online after class
u additional materials covered via demos and whiteboard or in-class discussions
u Lab & homework assignments
u Canvas quizzes, practice code, online resources
u Optional textbook
u Security in Computing, 5th edition,
by Pfleeger, Pfleeger & Margulies, Prentice Hall u available as hardcopy or e-book
11
CS306: Grading (tentative*)
u 20% u 40% u 40% u 110%
Participation (labs attendance & in-class quizzes)
Homework assignments
2 exams (midterm & final)
Total (w/ extra credit opportunities via homework assignments)
u Tentative* grading scheme
A
90-100
B
80-89
C
70-79
PLEASE don’t estimate your grade; if you have concerns, just contact me!
*Adapted as needed to fairly benefit the class
12
CS306: Course workload – what is expected from you
u Attend online lectures regularly & participate
u e.g., you are expected to ask questions and provide comments
u Attend labs
u Hand-in homework assignments u Pass exams
PLEASE don’t underestimate this; protect yourself and your classmates!
u Work independently (unless otherwise explicitly specified) u collaboration policy is governed by Honor System
u Provide feedback
13
CS306: Policies (not complete list)
u All class matters will be handled through Canvas u Attendance of lectures & labs is required
u only one missed lab is allowed
u there are no make-up labs or quizzes
u Laptops
u required
u Late assignments
u 3 free late days, after which 10% per-day reduction
u an exception may be granted by the instructor, if there is an important reason
14
CS306: Announcements
u Course materials will appear on Canvas
u I’ll make any effort to be complete, consistent and accurate in all updates
u please be patient as I set up the processes and finalize course materials
u communication (e.g., questions about course materials, announcements, etc.)
u No lab session this week
u TA hours & office hours will start next week, from Wednesday, September 9
15
CS306: Tentative Syllabus
Week
Date
Topics
Reading
Assignment
1
Sep 1
Introduction
Lecture 1
–
2
Sep 8
Symmetric-key crypto I
3
Sep 15
Symmetric-key crypto II
4
Sep 22
Public-key crypto I
5
Sep 29
Public-key crypto II
6
Oct 6
Access control & authentication
–
Oct 13
No class (Monday schedule)
7
Oct 20
Midterm
All materials covered
16
CS306: Tentative Syllabus
(continued)
Week
Date
Topics
Reading
Assignment
8
Oct 27
Software & Web security
9
Nov 3
Network security
10
Nov 10
Database security
11
Nov 17
Cloud security
12
Nov 24
Privacy
13
Dec 1
Economics
14
Dec 8
Legal & ethical issues
15
Dec 10 (or later)
Final
(closed “books”)
All materials covered*
17
* w/ focus on what covered after midterm
CS306: Course outcomes
u Terms
u describe common security terms and concepts
u Cryptography
u state basics/fundamentals about secret and public key cryptography concepts
u Attack & Defense
u acquire basic understanding for attack techniques and defense mechanisms
u Impact
u acquire an understanding for the broader impact of security and its integral connection to other fields in computer science (such as software engineering, databases, operating systems) as well as other disciplines including STEM, economics, and law
u Ethics
u acquire an understanding for ethical issues in cyber-security 18
Questions?
u Please ask questions during class!
19
Today
u Course logistics
u topic of study, enrollment eligibility, sessions
u staff, learning materials, course organization
u expectations, grading, policies, announcements u syllabus overview, course objectives/outcomes
u Introduction to the field of IT security
u in-class discussion with a real-world example
20
21
1.2 Secure outsourced computation
Another example: Tax return preparation…
Involves information collection & processing u calculate financial data
u payroll, profits, stock quotes, … u manage data
u search emails, store records, … u submit – done!
… by many unknown machines!
22
Data & computation outsourcing
Cloud-based services
u hardware, OS, software, apps, …
u storage, computation, databases, analytics, …
Transformative multi-platform technology u businesses, organizations or individuals
*aaS Internet protocols social networks big-data analytics sharing economy FinTech
u client-server, distributed, P2P, Web-based, …
23
Security consequences
Fact: Untrusted interactions
u information is processed outside one’s administration control or “trust perimeter” Risk: Falsified / leaked information
u information may unintentionally altered by or shared with unauthorized entities Goal: Integrity / privacy safeguards for outsourced assets
u need to protect information against change, damage / unauthorized access
24
What can go wrong?
Fact: Untrusted interactions
u information is processed outside one’s administration control or “trust perimeter” Risk: Falsified / leaked information
u information may unintentionally altered by or shared with unauthorized entities Goal: Integrity / privacy safeguards for outsourced assets
u need to protect information against change, damage / unauthorized access
Threats:
u misconfigurations, erroneous failures, limited liability
u economic incentives of cost-cutting providers
u compromises, attacks, advanced persistent threats (APTs) 25
Limited liability
“[We will] not be responsible for any damages arising in connection with any unauthorized access to, alteration of, or the deletion, destruction,
damage loss or failure to store any of your content or other data.”
Amazon Web Services customer agreement
26
Advanced Persistent Threats (APTs)
Sophisticated well-targeted cyber-attack campaigns u aim for unauthorized data manipulation or exfiltration u employ rich attack vectors & highly adaptive strategies
u social engineering
u zero-day vulnerabilities
u low-and-slow progression u intelligence
extremely hard-to-defend or even hard-to-detect
27
…
RSA (2011) Bit9 (2013) Dyn (2016) Equifax (2017) …
World’s biggest data breaches
28
“Information is beautiful”
by David McCandless
u world’s biggest data breaches
u losses > 30K records u up to 2/2/18
Real cases: Threats against integrity Vs. confidentiality
29
Data Breach Investigations Report by Verizon (2013)
u servers are a high-value target u compromises / attacks affect
both confidentiality and integrity
The “new” big threat: Data manipulation
US Officials’ View
u data manipulation
is the new big threat
30
Today
u Course logistics
u topic of study, enrollment eligibility, sessions
u staff, learning materials, course organization
u expectations, grading, policies, announcements u syllabus overview, course objectives/outcomes
u Introduction to the field of IT security
u in-class discussion with a real-world example u coverage of basic concepts & terms
31