MW , TU 1-3; and other times by appointment

Transcription

1 CSUS, COLLEGE OF ENGINEERING AND COMPUTER SCIENCE Department of Computer Science CSC Computer System Attacks and Countermeasures/ C Sc 254 Network Security (MW 7-8:15p; RVR 1008), Fall 2013 Instructor: Isaac Ghansah Office: RVR 4004 Phone: (916) WWW Office Hours: ghansah@csus.edu, (Please insert "CSc154" or CSc254 somewhere in the subject line); No via WebCT (DATED!!) MW , TU 1-3; and other times by appointment TA Joubin Jabbari, Mike McParland, Texts: McClure, Scambray & Kurtz, Hacking Exposed (Network Security Secrets & Solutions), Osborne McGraw Hill, 6 th Edition, 2009 (Required) References: R. Panko, Corporate Computer and Network Security, Prentice Hall, 2004 Security in Computing, Charles P. Pfleeger, 3Ed, Prentice Hall, 2003 The Art of Deception, Kevin D. Mitnick, William L. Simon, Wiley, 2002 William Stallings, Computer Security, Prentice Hall, 2009 C. Kaufman, R Perlman, M Speciner Network Security: Private Communication in a Public World, 2nd Ed. by, Prentice Hall, 2002 William Stallings, Cryptography and Network Security: Principles and Practice, 4 Ed., Prentice Hall, 2006 Recent articles from technical literatures and Internet Engineering Task Force (IETF) Request for Comments (RFC) 154 & 254 Differences: Even though the classroom lectures will be the same for both courses, the difference will be in some assignments and in some cases, exams. The instructor will use different methods including different projects proposals, homework assignments, examination questions, oral examinations, etc. Course Objectives: 1

2 Main objective of this course is to introduce the computer science student to the career path in Computer and Network Security. Provide experience in performing security assessment of computers and networks. Expose the student to the some of the domains that comprise what the Certified Information Systems Security Professional (CISSP) skills and knowledge require. Catalog Description (CSC 154): An introduction to network and computer security with a focus on how intruders gain access to systems, how they escalate privileges, and what steps can be taken to secure a system against such attacks. Topics include: perimeter defenses, intrusion detection systems, social engineering, distributed denial of service attacks, buffer overflows, race conditions, trojans and viruses. Prerequisite: CSC/CPE 138. Catalog Description (CSC 254): In-depth study of network security problems and discussion of potential solutions. Topics include: network vulnerabilities and attacks, secure communication, Internet security protocols and tools to defend against network attacks, network intrusion detection, and wireless network security. Survey and demonstration of software tools used for network security. Prerequisite: Fully Classified Graduate Status in CSC, SE, or CPE, or permission of instructor Prerequisite Proof: The Computer Science Department has a policy that each instructor will verify the student transcript and ascertain that the student has the prerequisites. You can log on to My Sac State go to "Student Center" and select "Unofficial Transcripts" to print. You also can select and print "Transfer Credit Report" if you have transferred from another institution. You must submit your transcript for verification. Any student who has completed one or more prerequisites at another school must provide similar verification to the instructor. Any student who has not submitted their transcript by the end of the second week will be dropped from the class. Repeat Policy: The department has a policy specifying that students may not repeat a Computer Science course more than once. Any student who wishes to repeat a course more than once (that is, take a course for a third time) must submit a petition requesting permission to do so. Student records will be reviewed to determine whether a student is taking this course for three or more times. Any such student must return an approved petition to the instructor within the first two weeks of class. Any student who does not submit an approved petition will be dropped from the class. Petitions are available in the Department office (RVR 3018) and require the signature of both the Instructor and the Dept. Chair. Course Goals: To provide experience in analyzing, identifying, and addressing vulnerabilities in systems or networks. To provide experience in performing a security audit of computers and networks. To expose the student to the domains of knowledge and skills required for information systems security. 2

3 To develop knowledge of contemporary risks in networks and attacks procedures To analyze Internet protocols in order to protect networks from attack To analyze security protocols which protect networks from attack To provide understanding of how cryptography is used in Internet protocols for secure communication To develop proficiency in use of various software tools for Internet security To develop breadth of knowledge of wireless network security To introduce the computer science student to career paths in Computer and Network Security. Prerequisites by Topic Thorough understanding of: 1. TCP/IP suite of protocols and WAN/LAN Technologies. 2. Distributed computing with client/server programming Basic understanding of: 1. Domain Name System (DNS) and addressing schemes used in internetworking 2. Host and Network Configuration Protocols (ARP, RARP, BOOTP, DHCP) 3. Unix and Windows operating system common services, ports, and sockets. 4. How to compile and run programs in Linux and Windows. Exposure to: 1. IPv6 and IPSec Course Content: This class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems. The lab intensive environment gives each student in-depth knowledge and practical experience with the current essential security systems. Students will begin by understanding how perimeter defenses work and then be led into scanning and attacking their own networks, no real network is harmed. Students then learn how intruders attack systems and what steps can be taken to secure a system. Students will also learn about Intrusion Detection, Policy Creation, Social Engineering, DDoS Attacks, Buffer Overflows, Trojans, Worms, and Viruses. Summary of Outcomes In this course, we will study computer and network security and look at the different requirements for information assurance. You will gain experience with the role of defending hosts and networks from attack as well as learning how the hacker uses tools to attack and penetrate networks. Students will be able to use several open software tools that will analyze host and networks for vulnerabilities and be exposed to the hacker technique of "thinking outside the box". TENTATIVE GRADING POLICY: The following allocation of points is tentative. These may change during the semester. 3

4 CSC 254 Students: Exams/Quizzes 25% Final 25% Assignments/Homework 30% Project/Oral-and-Written-Communication 15% Attendance to Oral Presentations 5% CSC 154 Students: Exams/Quizzes 25% Final 30% Assignments/Homework 40% Attendance to Oral Presentations 5% Grading Breakdown (%): A = C = A- = C- = B+ = D+ = B = D = B- = D- = C+ = F = 59 or below You must pass both the assignments/project and the exams in order to obtain a passing grade for the course. Students are required to keep backup (machine-readable) copies of all submitted work, and also to keep all returned (graded) work, until after final grades are posted. INDEPENDENT PROJECTS Independent student projects involving programming (ie. simulation or implementation), or research paper. List of possible projects are provided by the instructor. Students may choose their own topics upon approval of instructor. Joint programming projects are encouraged. Oral and written communication skills are essential for any work environment you find yourself. Therefore, the deliverables for the Projects will include a detailed report and oral PPT presentation (for research papers) or demonstration (programming projects). The final written report should be professional and potentially publishable in a technical magazine/journal such as IEEE Communications, IEEE Network Magazine, IEEE Security and Privacy Magazine, etc. The grading will assess your written and oral communication skills. For details of the specific grading criteria see details of Independent Project call for proposals (to be given later in the semester). COMPUTER ACCOUNTS AND ELECTRONIC COMMUNICATION: a) gaia account You should obtain a UNIX account on the ECS system "gaia" for this class if you do not have one. Though not required you might find it useful for some assignments. These are the steps: a. Use your favorite Browser and Go to b.click on Computing Services -> Network Accounts -> Get a new Account. c. Fill out all required fields You can also obtain an account by getting one from the College IT staff in room

5 b) Mailing List I have established a Mailing List for this course with a web-based maillist interface called Mailman. It is MANDATORY for every student accepted into the course to subscribe to the Mailing List within the first two weeks of classes. The list will be used to facilitate electronic communication for the course. Failure to subscribe to the list in a timely manner could result in your missing important assignments, clarifications, announcements, etc that are sent by . You must check on a regular basis and I will assume that you have received and read all messages I send to the list. The instructor will not be held responsible for your failures. To subscribe to the list go to the following website and fill out appropriate forms there. PLEASE MAKE SURE YOU FILL IN YOUR FULL NAME IN THE SECTION PROVIDED ON THE FORM. This will add your address (the one from which you send the message, hopefully gaia) to the csc254/csc154new mailing list. Subsequently you can send questions or discussion items regarding topics in csc254 or csc154new to everyone on the list. To do this, just send an message to the address csc154new@ecs.csus.edu or csc154new@ecs.csus.edu. This is a good way to send messages to other students in the class regarding clarifications about assignments, lecture, etc. Note that these messages are sent to everyone on the csc254 or csc154new list (including the instructors). If you need to communicate privately with the Instructor, use the instructor s individual address as given above. Note: Do not send HTML to the list. Some mail reader programs do not understand HTML Tags. c) Assignment/Homework Submission You must submit all homework/assignments/project reports electronically via WebCT, which can be reached from mysacstate ( my.csus.edu ). I will not accept a hardcopy. Any file which is placed in WebCT will be named according to one of the formats below (depending on the type of assignment). Please do NOT submit pdf files as I will not be able to make comments on them. Word format is preferable. Your-name_course#_hmwk _hmwk#, your-name_course#_lab_lab#, yourname_course_project_project# For example if a student named John Doe is submitting homework#1 the file name of the attachment should be doe-john_154_hmwk_1, or doe-john_254_hmwk_1 Please note: If the attachment is not according to proper format as stated above, it will not be accepted. COURSE POLICIES: 1. Information in this syllabus is subject to change with notice. 2. Attendance to class and frequent check of is expected. Class roll will not be checked after first week of classes unless the instructor deems it necessary. However, you are 5

6 responsible for material presented and announcements made in class or by . This could include changes to the syllabus, exam dates, etc. 3. Late assignment/project will be penalized by 20% if one lecture late. Nothing will be accepted if more than one lecture late, or if solution has been posted. 4. Make-up exams will only be given under extreme circumstances. The instructor reserves the right to reject make-up requests. There will be no make-up for unannounced quizzes under any circumstances 5. Be aware of the institution policy on drops and incomplete. Drop Policy If you plan to drop this course, please make sure you understand the following information. There is no such thing as an "automatic drop". The instructor can drop you from the course, but this does not happen automatically. If you plan to drop the course, make sure to use MySacState. After the 2nd week, you cannot drop the course through MySacState. At this point, you must provide written verification of a compelling reason. Both the instructor and the Department Chair must approve. After the 4th week, you must fill out a "Petition to Drop after Deadline" form and collect all the necessary signatures. This must be turned into Admission and Records in Lassen Hall. Students with Disabilities If you have a disability and require accommodations, you need to provide disability documentation to SSWD (Services to Students with Disabilities), Lassen Hall 1008, (916) Please discuss your accommodation needs with me after class or in lab early in the semester. Ethics/Academic Honesty Any work submitted is a contractual obligation that the work is the student s and for which he/she could be quizzed in detail. Discussion among students in assignments and projects is part of the educational process and is encouraged. No discussion among students is allowed in any exams/quizzes. However, each student must make an effort to do his/her own work in all assignments and exams. No type of plagiarism will be tolerated except in the case of group work. In that case each student should indicate the part of the work, which was their major responsibility in their final joint submission. Nevertheless, I emphasize any work submitted is a contractual obligation that the work is the student s and for which he/she could be quizzed in detail. The minimum penalty for even a single incident of cheating brought to the attention of the instructor in this course is automatic failure of the course; additional more severe penalties may also be applied. Note that cheating is grounds for dismissal from the University. Please refer to the Computer Science Dept. document entitled Policy on Academic Integrity (available online via the Computer Science department, home page) and to the University Policy Manual section on Academic Honesty (all available online via the instructor s home page. Please visit for additional information. IT IS THE RESPONSIBILITY OF EACH STUDENT TO BE FAMILIAR WITH, AND TO COMPLY WITH, THE POLICIES STATED IN THESE DOCUMENTS In 6

7 addition, unless otherwise stated, the use of the following devices during exams/quizzes is prohibited: cell phones, pagers, laptops, and PDAs. Legal Policy: Every student that enrolls in this course will be required to sign a "Legal Policy" that reads: Computer and Network Security course mission is to educate, introduce and demonstrate hacking tools for penetration testing and education purposes only. I will not use the newly acquired skills for illegal or malicious attacks and you will not use such tools in an attempt to compromise any computer system, and to indemnify California State University, Sacramento and College of Engineering and Computer Science with respect to the use or misuse of these tools, regardless of intent. Expected Learning Outcomes: At the end of the course you will be expected to acquire 1. Thorough understanding of: 1. The fundamental steps that a hacker performs. 2. Major software security design flaws such as buffer overflow and race conditions. 3. Common tools hackers use in conducting attacks and how they work. 4. Best practices for defending against attacks. 2. Basic understanding of: 1. Host and network intrusion detection systems. 2. Tools and methods of protecting computers and networks against hacker attacks. 3. Major types of malicious code such as Trojans, viruses, and worms. 4. Legal and ethical practices in security. 3. Exposure to: 1. Acceptable methods of security incident investigation. C SC 154/254 - TENTATIVE SCHEDULE SUBJECT TO CHANGE WEEK TOPICS READING 1 Introduction, Attacker s Process, Ethics, and law, Internet Security. Principles of computer Security. Security Goals: Confidentiality, Integrity, Availability. Secrecy, Authentication, Authorization, Accountability, Availability, Integrity, Trust (SAAAAINT) MSK Case Study:, Notes 2 Introduction to cryptography. Secure System Design Principles. Least Privilege, Separation of Privilege, Isolation, Usability, etc. Risk Assessment MSK Ch, Class Notes 3 Footprinting, scanning, enumeration. Tools. MSK 4-5 System Hacking: Password Attacks and Defenses. Password Hacking tools. Privilege escalation, Rootkits, and Defenses. Keystroke loggers. Covering tracks, hiding files. Steganography. Buffer overflow attacks and defenses. Social engineering MSK Ch, 6 Firewalls, intrusion detection systems, and honeypots Notes 7 Malware: Trojans, backdoors, viruses, worms. Conficker Worm MSK 8 Intro to Reverse Engineering: Malware Analysis, static and dynamic Notes analysis. Tools. 7

8 9 Secure Communication: IPSec, SSL/TLS, VPNs, etc Notes 10 Denial of service. Attack Methods. Tools. DDoS. MSK Ch,, Countermeasures. Session hijacking, Covert Channels Notes 10 Wireless and Mobile Network Security (Wifi) Security; GSM, Notes 2G/3G/4G Security; Bluetooth, RFID security. Attacks and Defenses 11 Sensor Networks and SCADA System Security and sensor Notes networks (eg. Zigbee) security; Attacks (eg. Stuxnet) and Defenses. 12 Access Control, biometrics, separation of duties, Physical Security, Notes TEMPEST Security. Security Policies. 13 Penetration Testing: Introduction, Risks, benefits, methodology Notes 14 Other Topics, 15 Independent Project Presentations IMPORTANT DATES: Veterans Holiday: Nov 11, 2013 Thanksgiving Break: Nov 28-29, 2013; Last Day of Instruction: Dec 13, 2013 FINAL EXAM: 8