- Teaching Assistants:
Please see
Instructor and TA contact information.
Course Description
Introduction to information security, the practice of protecting
information from unauthorized actions, in the context of computer
systems. Topics include current security-related issues, basic
adversarial models and threats to computer systems, potential
defenses, security tools, and common security breaches and their wider
impacts.
Prerequisite: CPSC 100, 112, or equivalent programming experience, or
with permission of instructor.
Course Overview
Information security is a rapidly evolving field. The majority of our
communications, including sensitive communications such as financial
and business transactions, medical information, and personal exchanges,
happen on the Internet. We depend on often very complex computer
systems to protect these communications. We specifically aim at
preserving confidentiality, integrity and availability of
information. However, the modern challenges of information security,
the practice of protecting information from unauthorized actions, are
vastly different from what they used to be as the adversarial models
and threats continue to change at a fast pace. As a result, we have
witnessed a surge of serious security breaches in the past couple of
years because organizations and individuals find themselves unprepared to
deal with those challenges.
This course covers the essentials of information security, as applied
to real-world systems, required to
- understand the current security
issues
- identify potential solutions
- mitigate threats
- analyze past security breaches
- understand their wider impact.
The
course also covers the practical aspects of implementing security in
real systems, including the human component. Topics of privacy,
anonymity and surveillance will also be discussed. A variety of
modern, widely available tools for secure communication will also be
covered as means to improving the security of personal information.
Topics
The course will cover the following topics.
- Essentials of information security (security mindset and
concepts, assets and threats, information security models and goals:
confidentiality, integrity, availability).
- Real-world adversaries and their attacks. Modern information
security challenges and security breaches. Goals of companies and
individuals. Why security is hard.
- Classical and practical crypto (encryption, digital
signatures, hash functions, authentication).
- Implementing and administering security in real
systems. Legal and organizational issues. Security trade-offs.
- Software security (software vulnerabilities and exploits,
malware, DRM)
- Network security (SSL/TLS, VPNs, firewalls, intrusion
detection systems, DoS attacks)
- Mobile platform security (Android and iOS).
- Application security (HTTPS, PKI, website and email
security, attacks).
- Privacy, anonymity, and surveillance. Secure communication tools.
- Social and human aspects of information security (social
engineering, human error, exploitations of human behavior, insider
threats and attacks)
- Case studies: real-world security breaches (scope, technical
basis, repercussions, mitigation)
Midterm Exam Monday, October 12th at the regular class time and room.
Final Exam TBA.
Guest Speakers
There will be a couple of guest speakers with significant cryptography
and information security experience.
- Richard Boscovich,
Microsoft's assistant general counsel and director of the Digital
Crime Unit, will speak.
- Richard
Ledgett, the former deputy director of the National Security Agency,
will speak.
- H. Morrow Long, Yale Information Security Officer
In the past, we arranged informal dinners with the speakers. Unfortunately,
we cannot do that this year. The speakers will be online, not in person.
Tant pis.
Course Structure
Prerequisites: This is an undergraduate level course and does not
require prior background in information security. However, it assumes
a familiarity with basic concepts of computer science and programming
such as are covered in the official prerequisite courses, CPSC 100 and
CPSC 112.
Required textbooks: There is one required textbook and it is
available at Yale as a licensed ebook. This means you can read it
online for free. We will also use assigned readings from a variety of
sources: white papers, news articles, etc.
Other Resources
- Web page
- The course web page is at
http://zoo.cs.yale.edu/classes/cs257.
- Piazza
- Students will be enrolled in a piazza site for the course.
which permits an interactive exchange of questions and information:
www.piazza.com
Note: students are not allowed to post code to piazza.
- Canvas
- We may use canvas for submission of assignments.
canvas
- Zoo accounts
- The Zoo is a collection of computers located on the 3rd floor of
AKW at the front of the building, as well as room 111 in 17 Hillhouse.
You will need a course account for CPSC 257 on the Zoo. When you register for
this class, your course account should be created within one hour or
so of signing up.
A Zoo tutorial is available on-line
from the course web page.
- Course directory
- The course directory, /c/cs257 is accessible from your Zoo
course account. It contains copies of handouts.
Course Requirements
- Class attendance and participation ∼5%. You are expected
to attend class regularly.
-
Homework Assignments ∼30%. There will be approximately 4-6
assignments. They will include hands-on and programming problems.
Our example code will generally be in Python or bash shell scripts.
However, we do not tell you what language to use.
-
Case Study ∼10%. You will be required to write an analysis of a
real-world security breach (∼500 words). The specific topic has to be
approved by the instructor.
-
Exams There will be two exams: midterm (∼25%) and final (∼30%).
Final exam will be given during the officially-scheduled examination
period. Students will be assigned readings. Together with homework
assignments, students will be expected to do ∼6 hours of work per week
outside the classroom.
Please try not to leave the homework to the last minute. You will
be more efficient, learn more, have more chance to get help, and generally
be calmer and happier if you do the associated reading first and
start the programming or other problems early.
Programming:
You will be required to write programs to solve
many of the homework assignments. We do not specify which
language to use. In class, we will usually use Python or bash shell
scripts, but may use C or even racket. With the homework
assignments, you will be graded on the answer, but it is usually a
good idea to show your work if you want partial credit. The way to
do that is to submit your source code.
Late Policy
Late work without a Dean's excuse
will be assessed a penalty of 5 points per day, based on
the submission timestamp.
At the end of term, up to 25 points will be deducted from
the total lateness penalties your homework has accrued.
However, according to Yale College regulations,
*no* homework can be accepted after the end
of Reading Week without a Temporary Incomplete (TI)
authorized by your dean.
If you have a Dean's excuse or a TI, making up missed work may involve
alternative assignments, at the discretion of the instructor;
please check with the instructor in this case.
Policy on Working Together
Unless otherwise specified, the homework assignments are your
individual responsibility. Plagiarism is a violation
of University rules and will not be tolerated. You must neither
copy work from others (at Yale or elsewhere)
nor allow your own work to be copied.
You are definitely on the wrong side of the boundary
if you give or receive a printed or electronic copy of your
or anyone else's work for the course from this term or previous
terms.
You are encouraged to ask others for help with the zoo,
programming, general questions about the concepts and material of the
course, but if you need more extensive help with a program or other
assignment, please ask a TA or the instructor for assistance. Working
in groups to solve homework problems is not permitted in this course.
Please talk to the instructor if you have any questions about this
policy.
Course Outline
| Week |
Date |
Topic |
| 1 |
Aug 31, Sep 2 |
Introduction. [MS1: Mark Stamp Chapter 1] |
| Cryptography |
|---|
| 2 |
Sep 7, 9 |
Crypto Basics [MS2] |
| 3 |
Sep 14, 16 |
Symmetric Key Crypto [MS3]: Stream Cyphers, Block Cyphers
DES, 3DES, AES |
| 4 |
Sep 21, 23 |
Public Key Crypto [MS4] RSA, Diffie-Hellman |
| 5 |
Sep 28, 30 |
Hash Functions [MS5] Birthday Attack, HMAC |
| Access Control |
|---|
| 6 |
Oct 5, 7 |
Authentication [MS7] Authorization [MS8]
|
| 7 |
Oct 12, 14 |
Review for midterm |
|
Oct 14 |
Midterm Exam. |
| Protocols |
|---|
| 9 |
Oct 19, 21 |
Simple Authentication Protocols [MS9]
Real-World Security Protocols [MS10] SSH, SSL, IPSec, Kerberos, WEP, GSM
|
| 10 |
Oct 26, 28 |
10/26: Guest speaker: Richard Ledgett, ex-NSA deputy director.
10/28: Guest speaker: Richard Boscovich, Director, Microsoft Digital Crime Unit1
|
| 11 |
Nov 2, 4 |
| Software |
|---|
| 12 |
Nov 9, 11 |
Software Flaws and Malware [MS11]
November 9th: Guest Speaker: Morrow Long, Yale Information Security Officer.
|
| 13 |
Nov 16, 18 |
Insecurity in Software [MS12]
|
| 14 |
Nov 30, Dec 2 |
Operating Systems and Security [MS13] Review for final exam.
|
|
Dec TBD |
Final Exam |
[Home]
