NoteNextra-origin/content/CSE4303/CSE4303_L1.md

# CSE4303 Introduction to Computer Security (Lecture 1)

## Course introduction and security fundamentals

### Computer Security Ethics

In this course, you will learn about tools and techniques that cna be used to violate privacy, cause harm, or undermine trust.

"The difference between a professional and a threat actor is not the technique -- it's intent, restraint, and accountability." -- ChatGPT

Intent:

Am I doing this for good or for bad?

Restraint:

Just because I can, should I?

Accountability:

Am I willing to take responsibility for my
actions, even when my name isn’t on them?
If my actions cause unintended harm, are my
actions defensible?

**Strive to be the good guy**

> [!WARNING]
> 
> Disclaimer: If you choose to experiment on systems you do not own, do not have permission to test, or engage in illegal activity, that is a personal choice—not a course activity. In those cases, you should not expect support, protection, or advocacy from the instructional staff or the university.

What is there to gain?

- Access to systems

Trust and reputation are critical in cybersecurity. If you do not have a strong reputation as a professional, no one will trust you with access to their systems!

### Course learning objectives

1. Understand principles of security analysis
2. Explain key security concepts such as confidentiality
3. Explain the root causes of current security problems
4. Produce clear and concise descriptions of security problems on real world systems
5. Analyze systems for potential vulnerabilities

Slides contain material from Computer Security lectures taught by

- Prof. Dan Boneh from Stanford
- Prof. Wenke Lee from Georgia Tech
- Prof. Wenliang (Kevin) Du from Syracuse
- Profs. Zhang and Cole

These sources will be used for slides throughout the course

## Defining security

How would you define security?

- informal: protecting something (information, system) against stealing, changing, destroying, forging etc.
- Slightly more formal:
  - Ensuring that assets
    - Can be accessed by those with authority to do so
    - Cannot be accessed by those without it

The security of a system, application, or protocol is always relative to

- A set of desired properties
  - anonymity, confidentiality, authenticity, and more
- An adversary with specific capabilities ("threat model")
  - I put the pizza on top of the fridge so the dog couldn’t reach it. I forgot about the cat

## Key security concepts

Confidentiality: no unauthorized disclosure of information

- Tools to achieve it
  - Encryption
  - Access control
  - Authentication (passwords, biometrics, etc.)

Integrity: information is not altered from original content in unauthorized way

- Tools to achieve it:
  - Backups (hot and cold, on-site and off-site)
  - Checksums and hash functions

Availability: information and resources are accessible to those authorized to have it

- Threats:
  - Resource (e.g. website): Denial of Service (DoS or DDoS) attack
    - Example: Murai botnet makes popular websites unavailable (2016)
    - Video: Murai in 100 seconds
    - Example: DDoS attacks increase in work-from-home COVID-19environment
- Complexity attacks
- Data: ransomware
  - Example: WannaCry caused billions of $$ in damage 2017
  - One of fastest-growing attack types: payments and number on the rise

- Tools to achieve it:
  - backup power
  - isolated networks ("air-gapped systems")
  - no single point of data storage (e.g. RAID)
  - data backups
  - robust server infrastructure

### Other security goals

Authenticity: identity of an entity (issuer of info/message) is verified

Anonymity: identity of an entity remains unknown

Non-repudiation: messages can’t be denied or taken back (e.g. online transaction commitments)