CS 571: Case Studies in Cybersecurity

Goals of the Course

This course has several goals. It seeks to teach you to think sophisticatedly about cyberattacks, learning to distinguish between noisy, but ultimately unimportant, attacks, and serious ones, to be able to analyze the underlying causes of an attack, including social and economic aspects, and to learn to think about these various aspects in designing secure systems.

Each of the areas to be discussed --- national-security aspects of cybersecurity, criminal activities in cyberspace, usability and privacy, legal aspects of cybersecurity --- are deep subjects in and of themselves, and a single course cannot expect to deeply cover them. Instead, this course will be an introduction to those topics, studying them alongside the analysis of various attacks, in order to develop a richer way to analyze cyberattacks. The course will be rich in readings, will require students to actively participate in discussion, to present an analysis of a cyberattack, and to develop a requirements document for designing a human-facing security system. Students will be expected to read, talk, and think, and to engage fully in the material --- and to learn a lot about the social aspects of cybersecurity.

Readings:

There are a variety of readings for the course. I will be relying on various National Academies studies on cybersecurity. These reports can be downloaded for free, or if you prefer, you can purchase hard copies; see for a full list of National Academies reports on cybersecurity. We will be using:

You'll each be presenting an analysis of a cyberattack in class. One book that covers a number of the attacks we'll be discussing is Jason Healey's A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, Atlantic Council, 2013; you may wish to purchase it.

In addition, we'll have various papers and book chapters to read; links are below. Please note that some remain to be added (and those from student presentations will be added shortly before the presentation).

January 16: Introduction to the Course and Understanding Sony

January 20: Framing the Issues

January 23: Guest Speaker: Chris Inglis, former Deputy Director, NSA

January 27: Why Technology Makes Cybersecurity So Hard

January 30: Understanding Cyberattack and Cyberexploitation

February 3: Cyberwar (a brief discussion)

February 6: Guest Speaker, Tyler Moore: Introduction to Security Economics

February 10: Is Cybercrime a Problem?

February 13: Cuckoo's Egg and Morris Worm (student presentations)

February 17: IBM Christmas Card and Solar Sunrise (student presentations); Code Red

February 20: Guest Speaker, Alex Smith, Professor, Social Science and Policy Studies, WPI

February 24: Conficker; Melissa and ILOVEYOU Virus (student presentation); Titan Rain/Aurora (student presentation)

February 27: Tracking Attackers; Critical infrastructure attacks

March 3: The Considerations in Securing Critcal Infrastructure

March 6: attacks on Estonia and Georgia

March 17: Passwords, Usability, and Identity Management

March 20: Guest Speaker: Mary Ellen Zurko, Security Architect, Cisco

March 24: Privacy: Legal, Policy, and Technical Approaches

March 27: Cybersecurity and The Threats to Privacy

March 30: Why Failures Happen

April 3: No class (Passover)

April 7: Stuxnet and Arab Spring

April 10: Guest Speaker, Chris Demchak, Professor, Center for Cyber Conflict Studies, US Naval War College

April 14: The Crypto Wars

April 17: Cryptographic Standards and Dual EC_DRBG

April 21: No class

April 24: No class

April 28: The Legal Framework I: US Wiretap Law, the Snowden Disclosures, and the Future

May 1: The Legal Framework II: Computer Fraud and Abuse Act and Digital Millenium Copyright Act.

May 5: In-class test.

Note that the syllabus and the readings are subject to change.

Expectations

Class participation is important in this class and will count for 15% of the grade.

Presentation

Everyone will do a class presentation analyzing a particular cyberattack. See MyWPI to sign up for a presentation. The presentation will count for 25% of your grade, and has several parts: The presentation and handout should address the following issues:

Rapporteur

Either individually or as part of a small group, everyone will also sign up on MyWPI to be a "rapporteur" for one of the student cyberattack presentation. Your role is not to present, but rather to lead the discussion post the presentation. You should ask questions and illuminate issues that you thought need further explication. Note that your role is not adversarial but rather that of a friendly interlocuter; you should be helping the presenter explain issues he or she did not cover or emphasize in sufficient depth. You should feel free to consult with the presenters but you should work independently and not coordinate your efforts. Serving as a rapporteur will be 5% of your grade.

Papers

You will have three writing assignments in this course:

Project

This project, which is to be done individually, involves writing a seven-page product requirements (PRD) document for a teaching hospital identity management system; the hospital will be based in the US. Let me unpack that for you.

A product requirements document is a company document that lays out a product's specification in the initial stages of an effort. In the case of software, for example, is written before the system's architecture is drawn up. It is a high-level document that clearly and precisely describes the proposed product's niche, purpose, features, and anticipated functionalities. The purpose of such of a document is to educate higher level management and potential partners about the proposed product; it has a secondary purpose to ensure that the product's designers understand the big picture of what they building.

As you undoubtedly already know, and will learn in greater detail, passwords are increasingly problematic. All of us have to remember too many. Various solutions to the password problem have been proposed, including hardware tokens; one important one is federated identity management, in which there is an Identity Provider that authenticates the user and then Service Providers that rely on this authentication. As a WPI student you already use federated systems without necessarily knowing it. The US federal government is launching a major effort in federated identity systems. I will be briefly discussing these systems in class on March 3 --- and you should do further reading.

I am asking you to do this design for a teaching hospital. That will involve several different considerations. Hospitals have lots of information sharing: doctors, nurses, and technicians, insurance companies and billing, etc. So you have to think about the authentication issues in that context (Who can get information from whom? What kind of authorization should be needed?). Because the hospital is based in the US, it will have to obey the Health Information Portability and Accountability Act (HIPAA) so you'll have to consider privacy in your architecture. In addition, it is a teaching hospital, there will need to be sharing of research data as well as student records; the latter will bring in Family Educational and Privacy Rights Act (FERPA), which protects student records.

A normal PRD for such an effort would be relatively long; I am requesting a short, five-seven page, paper. So you can't do a full architecture. What I'm looking for is a clear description of the design requirements --- think about the users' needs --- and how the architecture you propose will satisfy these. Note that in particular this does not mean a recitation of what HIPAA and FERPA say. Rather it involves desigining the architecture in a way that satisfies user needs, security requirements, and HIPAA and FERPA requirements.

I realize this assignment is demanding. You've never written a PRD before, you've never worked with identity management systems, HIPPA and FERPA implications add complexity. The purpose of the exercise is to make you synthesize the different pieces and put together something clear. It's the kind of thing you'd be asked to do in a security role at a company or in the government.

So go for it and have fun! Oh, and yes; this is worth 25% of your grade.

Grading

You will be graded on the readings, class participation, a class presentation, a short paper, a project design , and one in-class test on May 5. The grading in this course will be based on:

How to Contact me

My office is Salisbury Labs 310F. I will have office hours on Tuesdays 11-12 and Fridays 9-10. I will also sometimes hold office hours on Thursdays. Occasionally I will have to travel and will be out during regular office hours. If you need to ask a question and you don't catch me after class or during my office hours, you can always send me email. My address is slandau@wpi.edu. Please put "CS571" in the subject line so that I know the context of the mail. I'll reply, not right away, but within twenty-four hours. Note that I am unlikely to reply to class email over the weekends.