CSUS, COLLEGE OF ENGINEERING AND COMPUTER SCIENCE Department of Computer Science
CSC 154 - Computer System Attacks and Countermeasures/ C Sc 254 – Network Security (MW 7-8:15p; RVR 1008), Fall 2013
Instructor: Isaac Ghansah Office: RVR 4004 Phone: (916) 278-7659
Email: ghansah@csus.edu, (Please insert "CSc154" or “CSc254” somewhere in the subject line); No email via WebCT
WWW http://gaia.ecs.csus.edu/~ghansahi/ (DATED!!) Office
Hours:
MW
515-545, TU 1-3; and other times by appointment
TA Joubin Jabbari, Mike McParland,
Texts: McClure, Scambray & Kurtz, Hacking Exposed (Network Security Secrets
& Solutions), Osborne McGraw Hill , 6th Edition, 2009 (Required) References:
R. Panko, Corporate Computer and Network Security, Prentice Hall, 2004 Security in Computing, Charles P. Pfleeger, 3Ed, Prentice Hall, 2003 The Art of Deception, Kevin D. Mitnick, William L. Simon, Wiley, 2002 William Stallings, Computer Security, Prentice Hall, 2009
C. Kaufman, R Perlman, M Speciner Network Security: Private
Communication in a Public World, 2nd Ed. by, Prentice Hall, 2002
William Stallings, Cryptography and Network Security: Principles and Practice, 4 Ed., Prentice Hall, 2006
Recent articles from technical literatures and Internet Engineering Task Force (IETF) Request for Comments (RFC)
154 & 254 Differences: Even though the classroom lectures will be the same for both courses, the difference will be in some assignments and in some cases, exams. The instructor will use different methods including different projects proposals, homework assignments, examination questions, oral examinations, etc.
Main objective of this course is to introduce the computer science student to the career path in Computer and Network Security. Provide experience in performing security assessment of computers and networks. Expose the student to the some of the domains that comprise what the Certified Information Systems Security Professional (CISSP) skills and knowledge require. Catalog Description (CSC 154): An introduction to network and computer security with a focus on how intruders gain access to systems, how they escalate privileges, and what steps can be taken to secure a system against such attacks. Topics include: perimeter defenses, intrusion detection systems, social engineering, distributed denial of service attacks, buffer overflows, race conditions, trojans and viruses.
Prerequisite: CSC/CPE 138. Catalog Description (CSC 254):
In-depth study of network security problems and discussion of potential solutions. Topics include: network vulnerabilities and attacks, secure communication, Internet security protocols and tools to defend against network attacks, network intrusion detection, and wireless network security. Survey and demonstration of software tools used for network security.
Prerequisite: Fully Classified Graduate Status in CSC, SE, or CPE, or permission of instructor
Prerequisite Proof:
The Computer Science Department has a policy that each instructor will verify the student transcript and ascertain that the student has the prerequisites. You can log on to My Sac State go to "Student Center" and select "Unofficial Transcripts" to print. You also can select and print "Transfer Credit Report" if you have transferred from another institution. You must submit your transcript for verification. Any student who has completed one or more prerequisites at another school must provide similar verification to the instructor. Any student who has not submitted their transcript by the end of the second week will be dropped from the class. Repeat Policy:
The department has a policy specifying that students may not repeat a Computer Science
course more than once. Any student who wishes to repeat a course more than once (that is, take a
course for a third time) must submit a petition requesting permission to do so. Student records will be reviewed to determine whether a student is taking this course for three or more times. Any such student must return an approved petition to the instructor within the first two weeks of
class. Any student who does not submit an approved petition will be dropped from the class.
Petitions are available in the Department office (RVR 3018) and require the signature of both the Instructor and the Dept. Chair.
Course Goals:
To provide experience in analyzing, identifying, and addressing vulnerabilities in systems or networks.
To provide experience in performing a security audit of computers and networks. To expose the student to the domains of knowledge and skills required for information
To develop knowledge of contemporary risks in networks and attacks procedures To analyze Internet protocols in order to protect networks from attack
To analyze security protocols which protect networks from attack
To provide understanding of how cryptography is used in Internet protocols for secure communication
To develop proficiency in use of various software tools for Internet security To develop breadth of knowledge of wireless network security
To introduce the computer science student to career paths in Computer and Network Security.
Prerequisites by Topic
Thorough understanding of:
1. TCP/IP suite of protocols and WAN/LAN Technologies. 2. Distributed computing with client/server programming
Basic understanding of:
1. Domain Name System (DNS) and addressing schemes used in internetworking 2. Host and Network Configuration Protocols (ARP, RARP, BOOTP, DHCP) 3. Unix and Windows operating system common services, ports, and sockets. 4. How to compile and run programs in Linux and Windows.
Exposure to:
1. IPv6 and IPSec
Course Content:
This class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems. The lab intensive environment gives each student in-depth knowledge and practical experience with the current essential security systems. Students will begin by understanding how perimeter defenses work and then be led into scanning and attacking their own networks, no real network is harmed. Students then learn how intruders attack systems and what steps can be taken to secure a system. Students will also learn about Intrusion Detection, Policy Creation, Social Engineering, DDoS Attacks, Buffer Overflows, Trojans, Worms, and Viruses.
Summary of Outcomes
In this course, we will study computer and network security and look at the different requirements for information assurance. You will gain experience with the role of defending hosts and
networks from attack as well as learning how the hacker uses tools to attack and penetrate networks. Students will be able to use several open software tools that will analyze host and networks for vulnerabilities and be exposed to the hacker technique of "thinking outside the box". TENTATIVE GRADING POLICY:
CSC 254 Students:
Exams/Quizzes 25%
Final 25%
Assignments/Homework 30%
Project/Oral-and-Written-Communication 15%
Attendance to Oral Presentations 5%
CSC 154 Students:
Exams/Quizzes 25%
Final 30%
Assignments/Homework 40%
Attendance to Oral Presentations 5%
Grading Breakdown (%): A = 93-100 C = 73-76 A- = 90-92 C- = 70-72 B+ = 87-89 D+ = 67-69 B = 83-86 D = 63-66 B- = 80-82 D- = 60-62 C+ = 77-79 F = 59 or below
You must pass both the assignments/project and the exams in order to obtain a passing grade for the course. Students are required to keep backup (machine-readable) copies of all submitted work, and also to keep all returned (graded) work, until after final grades are posted.
INDEPENDENT PROJECTS
Independent student projects involving programming (ie. simulation or implementation), or research paper. List of possible projects are provided by the instructor. Students may choose their own topics upon approval of instructor. Joint programming projects are encouraged. Oral and written communication skills are essential for any work environment you find yourself. Therefore, the deliverables for the Projects will include a detailed report and oral PPT
presentation (for research papers) or demonstration (programming projects). The final written report should be professional and potentially publishable in a technical magazine/journal such as IEEE Communications, IEEE Network Magazine, IEEE Security and Privacy Magazine, etc. The grading will assess your written and oral communication skills. For details of the specific grading criteria see details of Independent Project call for proposals (to be given later in the semester).
COMPUTER ACCOUNTS AND ELECTRONIC COMMUNICATION: a) gaia account
You should obtain a UNIX account on the ECS system "gaia" for this class if you do not have one. Though not required you might find it useful for some assignments. These are the steps:
a. Use your favorite Browser and Go to www.ecs.csus.edu
b.Click on Computing Services -> Network Accounts -> Get a new Account. c. Fill out all required fields
b) Mailing List
I have established a Mailing List for this course with a web-based maillist interface called Mailman. It is MANDATORY for every student accepted into the course to subscribe to the Mailing List within the first two weeks of classes. The list will be used to facilitate electronic communication for the course. Failure to subscribe to the list in a timely manner could result in your missing important assignments, clarifications, announcements, etc that are sent by email. You must check email on a regular basis and I will assume that you have received and read all messages I send to the list. The instructor will not be held responsible for your failures. To subscribe to the list go to the following website and fill out appropriate forms there. PLEASE MAKE SURE YOU FILL IN YOUR FULL NAME IN THE SECTION PROVIDED ON THE FORM.
http://hera.ecs.csus.edu/mailman/listinfo/csc154new http://hera.ecs.csus.edu/mailman/listinfo/csc254
This will add your email address (the one from which you send the message, hopefully gaia) to the csc254/csc154new mailing list. Subsequently you can send questions or discussion items regarding topics in csc254 or csc154new to everyone on the list. To do this, just send an email message to the address csc154new@ecs.csus.edu or “csc154new@ecs.csus.edu”. This is a good
way to send messages to other students in the class regarding clarifications about assignments, lecture, etc. Note that these email messages are sent to everyone on the csc254 or csc154new list (including the instructors). If you need to communicate privately with the Instructor, use the instructor’s individual email address as given above. Note: Do not send HTML e-mail to the list. Some mail reader programs do not understand HTML Tags.
c) Assignment/Homework Submission
You must submit all homework/assignments/project reports electronically via WebCT, which can be reached from mySacState ( my.csus.edu ). I will not accept a hardcopy. Any file which is placed in WebCT will be named according to one of the formats below (depending on the type of assignment). Please do NOT submit pdf files as I will not be able to make comments on them. Word format is preferable.
Your-name_course#_hmwk _hmwk#, name_course#_lab_lab#, your-name_course_project_project#
For example if a student named John Doe is submitting homework#1 the file name of the email attachment should be doe-john_154_hmwk_1, or doe-john_254_hmwk_1
Please note: If the attachment is not according to proper format as stated above, it will not be accepted.
COURSE POLICIES:
1. Information in this syllabus is subject to change with notice.
2. Attendance to class and frequent check of email is expected. Class roll will not be checked after first week of classes unless the instructor deems it necessary. However, you are
responsible for material presented and announcements made in class or by email. This could include changes to the syllabus, exam dates, etc.
3. Late assignment/project will be penalized by 20% if one lecture late.
Nothing will be accepted if more than one lecture late, or if solution has been posted.
4. Make-up exams will only be given under extreme circumstances. The instructor reserves the
right to reject make-up requests. There will be no make-up for unannounced quizzes under
any circumstances
5. Be aware of the institution policy on drops and incomplete. Drop Policy
If you plan to drop this course, please make sure you understand the following information.
There is no such thing as an "automatic drop". The instructor can drop you from the course, but this does not happen automatically. If you plan to drop the course, make sure to use MySacState.
After the 2nd week, you cannot drop the course through MySacState. At this point, you must provide written verification of a compelling reason. Both the instructor and the Department Chair must approve.
After the 4th week, you must fill out a "Petition to Drop after Deadline" form and collect all the necessary signatures. This must be turned into Admission and Records in Lassen Hall.
Students with Disabilities
If you have a disability and require accommodations, you need to provide disability documentation to SSWD (Services to Students with Disabilities), Lassen Hall 1008, (916) 278-6955. Please discuss your accommodation needs with me after class or in lab early in the semester.
Ethics/Academic Honesty
Any work submitted is a contractual obligation that the work is the student’s and for which he/she could be quizzed in detail. Discussion among students in assignments and projects is part of the educational process and is encouraged. No discussion among students is allowed in any exams/quizzes. However, each student must make an effort to do his/her own work in all assignments and exams. No type of plagiarism will be tolerated except in the case of group work. In that case each student should indicate the part of the work, which was their major responsibility in their final joint submission. Nevertheless, I emphasize any work submitted is a contractual obligation that the work is the student’s and for which he/she could be quizzed in detail. The minimum penalty for even a single incident of cheating brought to the attention of the instructor in this course is automatic failure of the course; additional more severe penalties may also be applied. Note that cheating is grounds for dismissal from the University.
Please refer to the Computer Science Dept. document entitled “Policy on Academic Integrity” (available online via the Computer Science department, www.ecs.csus.edu/csc home page) and to the University Policy Manual section on Academic Honesty (all available online via the instructor’s home page. Please visit http://www.csus.edu/admbus/umanual/UMA00150.htm) for additional information. IT IS THE RESPONSIBILITY OF EACH STUDENT TO BE FAMILIAR
addition, unless otherwise stated, the use of the following devices during exams/quizzes is prohibited: cell phones, pagers, laptops, and PDAs.
Legal Policy:
Every student that enrolls in this course will be required to sign a "Legal Policy" that reads: Computer and Network Security course mission is to educate, introduce and demonstrate hacking tools for penetration testing and education purposes only. I will not use the newly acquired skills for illegal or malicious attacks and you will not use such tools in an attempt to compromise any computer system, and to indemnify California State University, Sacramento and College of Engineering and Computer Science with respect to the use or misuse of these tools, regardless of intent.
Expected Learning Outcomes: At the end of the course you will be expected to acquire
1. Thorough understanding of:
1. The fundamental steps that a hacker performs.
2. Major software security design flaws such as buffer overflow and race conditions. 3. Common tools hackers use in conducting attacks and how they work.
4. Best practices for defending against attacks.
2. Basic understanding of:
1. Host and network intrusion detection systems.
2. Tools and methods of protecting computers and networks against hacker attacks. 3. Major types of malicious code such as Trojans, viruses, and worms.
4. Legal and ethical practices in security.
3. Exposure to:
1. Acceptable methods of security incident investigation.
C SC 154/254 - TENTATIVE SCHEDULE SUBJECT TO CHANGE
WEEK TOPICS READING
1 Introduction, Attacker’s Process, Ethics, and law, Internet Security. Principles of computer Security. Security Goals: Confidentiality, Integrity, Availability. Secrecy, Authentication, Authorization, Accountability, Availability, Integrity, Trust (SAAAAINT)
MSK Case Study:, Notes 2 Introduction to cryptography. Secure System Design Principles. Least
Privilege, Separation of Privilege, Isolation, Usability, etc. Risk Assessment
MSK Ch, Class Notes
3 Footprinting, scanning, enumeration. Tools. MSK
4-5 System Hacking: Password Attacks and Defenses. Password Hacking tools. Privilege escalation, Rootkits, and Defenses. Keystroke loggers. Covering tracks, hiding files. Steganography. Buffer overflow attacks and defenses. Social engineering
MSK Ch,
6 Firewalls, intrusion detection systems, and honeypots Notes 7 Malware: Trojans, backdoors, viruses, worms. Conficker Worm MSK 8 Intro to Reverse Engineering: Malware Analysis, static and dynamic
analysis. Tools.
9 Secure Communication: IPSec, SSL/TLS, VPNs, etc Notes 10 Denial of service. Attack Methods. Tools. DDoS.
Countermeasures. Session hijacking, Covert Channels
MSK Ch, , Notes 10 Wireless and Mobile Network Security. 802.11 (Wifi) Security; GSM,
2G/3G/4G Security; Bluetooth, RFID security. Attacks and Defenses
Notes 11 Sensor Networks and SCADA System Security. 802.15.4 and sensor
networks (eg. Zigbee) security; Attacks (eg. Stuxnet) and Defenses.
Notes 12 Access Control, biometrics, separation of duties, Physical Security,
TEMPEST Security. Security Policies.
Notes 13 Penetration Testing: Introduction, Risks, benefits, methodology Notes 14 Other Topics,
15 Independent Project Presentations
IMPORTANT DATES:
Veterans’ Holiday: Nov 11, 2013 Thanksgiving Break: Nov 28-29, 2013; Last Day of Instruction: Dec 13, 2013 FINAL EXAM:
