CSCI 3403 – Introduction to Cyber Security For a Converged WorldInstructor I

1. CSCI 3403 –
2. Introduction to Cyber Security For a Converged World
3. Instructor Information
4. Name: Daniel Massey
5.  
6. Course Information
7. This course Introduces core concepts in cybersecurity including confidentiality, integrity, authentication, risk management, and adversarial thinking. The concepts will be applied to both traditional information technology (IT) systems and cyber physical systems (CPS). The course provides a cyber security foundation that will allow practitioners in other fields apply to understand cyber security trade-offs and will also provide interested students with a basis further study in cyber security. At the conclusion of the course students should have a solid foundation in cybersecurity and hands-on experience.
8.  
9. Learning Goals
10. We will build on the following three (3) primary learning goals throughout the term:
11.  
12. Understand the core cyber security concepts of Confidentiality, Availability, Integrity, Risk Management, and Adversarial Thinking
13. These concepts underpin most cyber security issues. By understanding both the theoretical concepts and practical applications, student will be equipped to address most cyber security challenges.
14. Understand and gain practical experience with cyber security policies and trade-offs
15. No useful system is perfectly secure and a key to cyber security is identifying and managing risks in a manner appropriate to the system being considered.
16. Apply cyber security concepts to Cyber Physical Systems and the Internet of Things
17. Cyber security challenges are not limited to traditional computer and data center models. Modern vehicles, medical devices, building controls, and rapidly growing set of devices combine the physical and cyber worlds. It is critical to understand how cyber security concepts apply to these devices.
18. Textbooks and Materials
19. Textbooks: Computer Security: Principles and Practice (4th Edition), William Stallings and‎ Lawrie Brown, Pearson, 2017, ISBN 978-0134794105
20.  
21. You can purchase the book through the CU bookstore or from online providers.
22.  
23. Assignments
24. This course is evaluated on a scale of 100 total points. There is a weekly homework, a midterm exam, final exam, and course projects.
25.  
26. Weekly Homework (15 points): The course will include weekly homework assignments. Homework is posted by midnight on Thursday and is due at the start of recitation. Note that CANVAS does not link the due date to your recitation, ignore the hour in the due date. Homework is due at the start of your recitation section.
27.  
28. Midterm Exam (30 points): The midterm exam is scheduled for Tuesday March 13th in class. The midterm exam will be based on lectures and homework assignments in weeks one (1) through eight (8). Closed book and notes, except you may bring one (1) eight and half (8.5) by eleven (11) inch paper with any notes you produce yourself.
29.  
30. Final Exam (30 points): The final exam follows the CU assigned final exam time of Tuesday May 8th, 4:30-7:00pm. The final exam will be based on lectures and homework assignments in weeks one (1) through sixteen (16). Closed book and notes, except you may bring two (2) eight and half (8.5) by eleven (11) inch papers with any notes you produce yourself.
31.  
32. Course Projects (25 points): Students will select a from a list of potential systems and explore security issues related to that system throughout the semester. The potential systems include a mobile phone, a server in data center, an industrial control system, an autonomous drone/UAS, a vehicle, or a medical device. Students will work in teams of 5 and select one (1) (and only one) of those systems. In exceptional cases, a team could propose an alternate system with the approval of the instructor .
33.  
34. Grading
35. The Weekly Homework Assignments are collectively worth 15 points, or 15% of your grade in the course.
36. The Midterm Exam is worth 30 points, or 30% of your grade in the course.
37. The Final Exam is worth 30 points, or 30% of your grade in the course.
38. The Course Projects are worth 25 points, or 25% of your grade in the course.
39. If you have any questions about your grade or how you are being assessed, please do not hesitate to contact me. If you have extenuating circumstances and are unable to meet an important deadline, please contact me directly to work out a resolution on a case-by-case basis.
40. Course Topics Outline:
41. The course will cover topics in the following order:
42.  
43. Knowledge Area: Cyber Security Cross Cutting Fundamentals: (10% of course, 1.5 weeks)
44. Confidentiality, Integrity, Availability, Risk Management, and Adversarial Thinking. These five concepts form the basis the rest of the course and in fact the field of cybersecurity. The five concepts are introduced and defined. All five are cross cutting and will apply to all knowledge areas discussed in the remainder of the course.
45. Security Models and The NIST Cybersecurity Framework: This section shows how the five concepts above are used in well-known cyber security models. Specifically, this section will introduce the Bell-LaPadula (BLP), Biba, and Clark-Wilson models. All models include aspects of Risk Management and Adversarial Thinking. BLP focuses on Confidentiality while Biba focuses on Integrity as a dual of BLP. Clark-Wilson provides a different way to achieve Integrity and Availability. These models are the forerunners of the current NIST Cybersecurity Framework which focuses on Identify, Protect, Detect, Respond, and Recover.
46. Cybersecurity Application Domains: This course will apply cybersecurity to a variety of application domains including: traditional Information Technology (IT), web, cloud, Cyber Physical Systems (CPS), the Internet of Things, Industrial Control Systems(ICS)/SCADA systems, Supply chain.
47.  
48. Knowledge Area: Data Security (25% of course, 4 weeks)
49. Basic Cryptography and Key Management: Cryptographic techniques are tools that will be used to achieve cyber security objectives. This section’s objective is to understand these tools, their advantages, and their limitations Topics include encryption/decryption, sender authentication, data integrity, non-repudiation, Attack classification (ciphertext-only, known plaintext, chosen plaintext, chosen ciphertext), Secret-Key/Symmetric cryptography , Public-Key/Asymmetric cryptography and public key certificates, Block ciphers and stream ciphers, DES, and AES, Secure Hash functions (SHA-1, SHA-2, etc.)
50. Authentication: Passwords, Dictionary attack, Brute force attack, Rainbow table attack, Password Storage and Salting, One-time passwords, Multi-factor authentication, Cryptographic tokens and devices, Biometric authentication,
51. Data Integrity: Message authentication codes (HMAC, CBC-MAC), Digital signatures, Authenticated encryption, Hash trees
52. Access Control: Access control lists, Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-based Access Control (RBAC),
53. Access Control Additional Topics: (if time permits) Attribute-based Access Control (ABAC), Rule-based Access Control (RAC), History-based Access Control (HBAC), Identity-based Access Control (IBAC), Organization-based Access Control (OrBAC), Federated identities and access control
54. Privacy: Definitions (Brandeis, Solove), Legal (HIPAA, FERPA, GLBA), Data Collection, Aggregation, and Dissemination, Social Engineering
55. Data Storage and Physical Security: Data center security, access, key cards, and man traps, Rack level security, Data destruction, Backups, File Encryption, and Database Security
56. Optional Topic: Additional Access Control Methods: (if time permits) Attribute-based Access Control (ABAC), Rule-based Access Control (RAC), History-based Access Control (HBAC), Identity-based Access Control (IBAC), Organization-based Access Control (OrBAC), Federated identities and access control
57. Optional Topic: Forensics: (if time permits) Sources of digital evidence, Deleted and undeleted files, temporary files, Metadata, Print spool files, Slack space, Hibernation files, Windows registry, Log files, File systems, File recovery
58.  
59. Knowledge Area: Software Security and Software Assurance (20% of Course, 3.5 weeks)
60. Software Design and Assurance Introduction: Introduces the key concepts of software design for both traditional information technology (IT) systems as well as the unique challenges faced by embedded systems, Industrial Control Systems (ICS), Cyber Physical Systems (CPS), and the Internet of Things (IoT)
61. Representative Software Errors and Malware: Buffer Overflows and Input Validation, Botnets, Worms/Virus, Ransomware.
62. The Top 10 Software Security Design Flaws: 1) Earn or Give, but Never Assume, Trust; 2) Use an Authentication Mechanism that Cannot be Bypassed or Tampered With; 3) Authorize after You Authenticate; 4) Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources; 5) Define an Approach that Ensures all Data are Explicitly Validated; 6) Use Cryptography Correctly; 7) Identify Sensitive Data and How They Should Be Handled; 8) Always Consider the Users; 9) Understand How Integrating External Components Changes Your Attack Surface; 10) Be Flexible When Considering Future Changes to Objects and Actors
63. Software Security for Embedded Systems: resource constrained environments, industrial control system software, and the Internet of Things
64. Design Principles: Principle of Least Astonishment, Principle of Least Privilege, and Separation of Duty
65. Software Assurance Techniques: Static Analysis, Dynamic Analysis, and Hybrid Analysis
66. Software Lifecycle and Software Updates: Importance of patching, unique security challenges and risks, secure updates for critical systems including vehicles and medical devices.
67.  
68. Knowledge Area: System and Network Security (25% of Course, 4 weeks)
69. System and Network Design Overview: Introduces the key concepts in system design and network communication. This section provides a working knowledge of systems and networks since the course does not assume students have this background.
70. Industrial Control Systems and Cyber Physical Systems: Introduces the unique system and network security configurations for Industrial Control Systems (ICS), Cyber Physical Systems (CPS), and the Internet of Things (IoT)
71. Secure System Design: Security Design Principles, Security Architectures, Trusted Computing Base, Security Modes of Operation
72. Secure Communication Protocols: Application Layer Protocols including HTTPS and SSH, Transport Layer Protocols including TLS and TLS, Network Layer Protocols including IpSEC and VPNs, Core Infrastructure Protocols including DNSSEC, NTP, and BGP.
73. Availability and Denial of Service: system availability, measures of availability, denial of service, Distributed Denial of Service (DDoS) attacks, Telephony Denial of Service (TDoS) attacks, Internet of Things (IoT) based attacks, defending cyber physical systems.
74. Computer Network Defense: Firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Honeypots,
75. Optional Topic: Advance Network Security (if time permits) Software Defined Networking, Software Defined Perimeters, and Network Virtualization.
76.  
77. Knowledge Areas: Human, Organizational, and Societal Security (20% of course, 3 weeks)
78. Identity and Identity Management: define and introduce different notions of identity and techniques for identity management.
79. Usable Security and Social Engineering: Adversarial thinking used by cyber-criminals or malicious groups exploit weaknesses in organizations, systems, networks, and personal information
80. Compliance and Policy: Concepts and techniques for setting and complying with security policies, FIPS, Common Criteria, NIST 800-53, Best Practices, building security in versus bolting on security.
81. Vulnerability Analysis and Auditing: key concepts in vulnerability analysis and auditing, Verification and Validation, Authority to Operate (ATO)
82. Optional Topic: Supply Chain Security: (if time permits) risk assessments and adversarial thinking models for addressing security of components in the supply chain, hardware security, manufacturing security
83. Risk Management: The economics of security, cost benefit analysis, and liability. Capstone discussion of overall risk management, risk control, and risk mitigation for both traditional information technology (IT) systems as well embedded systems, Cyber Physical Systems (CPS), and the Internet of Things (IoT).
84. Accommodation Statement
85. I am committed to providing everyone the support and services needed to participate in this course. If you qualify for accommodations because of a disability, please submit to your professor a letter from Disability Services in a timely manner (for exam accommodations provide your letter at least one week prior to the exam) so that your needs can be addressed. Disability Services determines accommodations based on documented disabilities. Contact Disability Services at 303-492-8671 or by e-mail at dsinfo@colorado.edu. If you have a temporary medical condition or injury, see Temporary Medical Conditions: Injuries, Surgeries, and Illnesses guidelines under Quick Links at Disability Services website and discuss your needs with me.
86.  
87. Religious Observances
88. Campus policy regarding religious observances requires that faculty make every effort to deal reasonably and fairly with all students who, because of religious obligations, have conflicts with scheduled exams, assignments or required assignments/attendance. If this applies to you, please speak with me directly as soon as possible at the beginning of the term.
89.  
90. Classroom Behavior
91. Students and faculty each have responsibility for maintaining an appropriate learning environment. Those who fail to adhere to such behavioral standards may be subject to discipline. Professional courtesy and sensitivity are especially important with respect to individuals and topics dealing with differences of race, color, culture, religion, creed, politics, veteran’s status, sexual orientation, gender, gender identity and gender expression, age, ability, and nationality. Class rosters are provided to the instructor with the student's legal name. I will gladly honor your request to address you by an alternate name or gender pronoun. Please advise me of this preference early in the semester so that I may make appropriate changes to my records. For more information, see the policies on class behavior and the student code.
92.  
93. Discrimination and Harassment
94. The University of Colorado Boulder (CU-Boulder) is committed to maintaining a positive learning, working, and living environment. CU-Boulder will not tolerate acts of discrimination or harassment based upon Protected Classes or related retaliation against or by any employee or student. For purposes of this CU-Boulder policy, "Protected Classes" refers to race, color, national origin, sex, pregnancy, age, disability, creed, religion, sexual orientation, gender identity, gender expression, veteran status, political affiliation or political philosophy. Individuals who believe they have been discriminated against should contact the Office of Discrimination and Harassment (ODH) at 303-492-2127 or the Office of Student Conduct (OSC) at 303-492-5550. The full policy on discrimination and harassment has more information.
95.  
96. Honor Code
97. All students of the University of Colorado at Boulder are responsible for knowing and adhering to the academic integrity policy of this institution. Violations of this policy may include: cheating, plagiarism, aid of academic dishonesty, fabrication, lying, bribery, and threatening behavior. All incidents of academic misconduct shall be reported to the Honor Code Council (honor@colorado.edu; 303-735-2273). Students who are found to be in violation of the academic integrity policy will be subject to both academic sanctions from the faculty member and non-academic sanctions (including but not limited to university probation, suspension, or expulsion). The Honor Code Office has more information.