updates

content/CSE4303/CSE4303_L1.md

@@ -1 +1,112 @@
-# CSE4303 Introduction to Computer Security (Lecture 1)
+# CSE4303 Introduction to Computer Security (Lecture 1)
+
+## Course introduction and security fundamentals
+
+### Computer Security Ethics
+
+In this course, you will learn about tools and techniques that cna be used to violate privacy, cause harm, or undermine trust.
+
+"The difference between a professional and a threat actor is not the technique -- it's intent, restraint, and accountability." -- ChatGPT
+
+Intent:
+
+Am I doing this for good or for bad?
+
+Restraint:
+
+Just because I can, should I?
+
+Accountability:
+
+Am I willing to take responsibility for my
+actions, even when my name isn’t on them?
+If my actions cause unintended harm, are my
+actions defensible?
+
+**Strive to be the good guy**
+
+> [!WARNING]
+> 
+> Disclaimer: If you choose to experiment on systems you do not own, do not have permission to test, or engage in illegal activity, that is a personal choice—not a course activity. In those cases, you should not expect support, protection, or advocacy from the instructional staff or the university.
+
+What is there to gain?
+
+- Access to systems
+
+Trust and reputation are critical in cybersecurity. If you do not have a strong reputation as a professional, no one will trust you with access to their systems!
+
+### Course learning objectives
+
+1. Understand principles of security analysis
+2. Explain key security concepts such as confidentiality
+3. Explain the root causes of current security problems
+4. Produce clear and concise descriptions of security problems on real world systems
+5. Analyze systems for potential vulnerabilities
+
+Slides contain material from Computer Security lectures taught by
+
+- Prof. Dan Boneh from Stanford
+- Prof. Wenke Lee from Georgia Tech
+- Prof. Wenliang (Kevin) Du from Syracuse
+- Profs. Zhang and Cole
+
+These sources will be used for slides throughout the course
+
+## Defining security
+
+How would you define security?
+
+- informal: protecting something (information, system) against stealing, changing, destroying, forging etc.
+- Slightly more formal:
+  - Ensuring that assets
+    - Can be accessed by those with authority to do so
+    - Cannot be accessed by those without it
+
+The security of a system, application, or protocol is always relative to
+
+- A set of desired properties
+  - anonymity, confidentiality, authenticity, and more
+- An adversary with specific capabilities ("threat model")
+  - I put the pizza on top of the fridge so the dog couldn’t reach it. I forgot about the cat
+
+## Key security concepts
+
+Confidentiality: no unauthorized disclosure of information
+
+- Tools to achieve it
+  - Encryption
+  - Access control
+  - Authentication (passwords, biometrics, etc.)
+
+Integrity: information is not altered from original content in unauthorized way
+
+- Tools to achieve it:
+  - Backups (hot and cold, on-site and off-site)
+  - Checksums and hash functions
+
+Availability: information and resources are accessible to those authorized to have it
+
+- Threats:
+  - Resource (e.g. website): Denial of Service (DoS or DDoS) attack
+    - Example: Murai botnet makes popular websites unavailable (2016)
+    - Video: Murai in 100 seconds
+    - Example: DDoS attacks increase in work-from-home COVID-19environment
+- Complexity attacks
+- Data: ransomware
+  - Example: WannaCry caused billions of $$ in damage 2017
+  - One of fastest-growing attack types: payments and number on the rise
+
+- Tools to achieve it:
+  - backup power
+  - isolated networks ("air-gapped systems")
+  - no single point of data storage (e.g. RAID)
+  - data backups
+  - robust server infrastructure
+
+### Other security goals
+
+Authenticity: identity of an entity (issuer of info/message) is verified
+
+Anonymity: identity of an entity remains unknown
+
+Non-repudiation: messages can’t be denied or taken back (e.g. online transaction commitments)