|
September 30 |
Introduction: The Cybersecurity Challenge |
|
|
Lecture Slides
Click here to download lecture slides.Course Info Handout |
|
October 5 (Tuesday) |
Tech Breakout I: Internet Basics |
|
|
Lecture Slides
Click here to download lecture slides.
Suggested
Readings
How Internet Infrastructure Works : A description from “How
Stuff Works” providing a high-level overview of the Internet
architecture.
How Does the Internet Work? : An
introductory yet in-depth description of how major components of the
Internet infrastructure operate.
|
|
October 7 |
How To Think About Cybersecurity |
|
|
Required
Readings
How to Hack a Bank : An older article describing
vulnerabilities and losses within the banking industry due to
Internet attacks. Only the first 14 numbered sections are
required reading.
UCITA - A Security Threat : Outlines a controversial piece
of proposed legislation that allow software-makers to legally
install backdoors in commercial software.
What You Need to Know About Phishing : An overview of the
phishing problem from Microsoft. Take note of how the article
outlines the many different actors that come into play when
attempting to fix this vulnerability.
Gambling Sites, This is a Holdup : Describes the current
threat posed to online businesses by Denial-of-Service extortion
threats.
Monopoly Considered Harmful
Monocultures are Hard to Find in Practice
Point, counter-point articles by leading experts discussing the
threat of monoculture within cybersecurity.
License PC Users? It's a Thought
Article discussing the oft-mentioned proposal to require a
license to use the Internet, in hopes of curbing security issues
caused by unknowledgeable users.
New Hope for a Security Lock-down
Takes a look at the role government can play in defining
security standards and using its significant buying power to
influence the security of commercial products.
|
|
October 12 (Tuesday) |
Tech Breakout II: Viruses, Worms, Firewalls and Crypto
Lecture Slides
Click here to download lecture slides.
Suggested
Readings
Sans Top 20 Vulnerability List
An evolving list citing the top 10 vulnerabilities in both
Windows and Linux systems. Scan this article and pay
particular attention to the description of the vulnerability and the
details of what must be done to mitigate the vulnerability.
|
|
|
|
|
October 14 |
An Operational Perspective of Cybersecurity
Video Lecture : Arthur Pyster, Federal
Aviation Administration (FAA) Deputy Chief Information Officer
Required
Readings
How to Spend a Security Dollar
This article provides one view of how a company should spend its
budget for IT security. While reading, make a note of areas
you think need either more or less money than the author suggests.
Suggested
Readings
Companies Adapt to
a Zero Day World
Article describing the challenge faced by corporations by the
potential for a "zero-day exploit", one which is release before a
patch is available.
|
|
|
|
|
October 21 |
Cybersecurity Policy
Lecture Slides
Click here to download lecture slides.
Required
Readings
Critical Information Infrastructure Protection and the Law (pages
8-24) : Covers a brief introduction to critical information
infrastructure protection and explores the key issue of information
sharing within a public-private cybersecurity partnership.
The National Strategy to Secure Cyberspace : The guiding
document for the US government’s cybersecurity efforts. Outlines
the threat and the government’s initiatives focusing on a
public-private partnership and information sharing. The 10
page Executive Summary is required, but the remainder of the
document will be extremely helpful in being able to critically
analyze the ideas presented in the plan.
Suggested
Readings
US Cybersecurity Chief Resigns : Article covering the
resignation of Amit Yoran as the head of DHS cybersecurity efforts,
citing frustrations concerning the importance of cybersecurity
within DHS.
DHS moves ahead with cybersecurity R&D efforts : Article
outlining major DHS R&D initiatives within cybersecurity.
Progress and Challenges in Securing the Nation’s Cyberspace : A
July of 2004 report by the Office of the Inspector General analyzing
the progress DHS has made toward improving national cybersecurity.
|
|
|
|
|
October 28 |
Cybersecurity and Law: The
End-to-End Principle and Unauthorized Access
Guest Speaker: Jennifer Granick, Stanford Law School Required
Readings
18 U.S.C. 1030 - The Computer Fraud and Abuse Act
: US federal law outlining illegal behavior on computer
systems, serving as an introduction to the concept of unauthorized
access.
eBay, Inc
v. Bidder's Edge
: A 2000 court case in which eBay claims that the use of automated
querying of their auction database by auction-aggregation site
Bidder's Edge constituted unauthorized access. Pay particular
attention to the case background (Section I) and the portion of the
case dealing directly with trespass (Section II.B.1).
Intel v. Hamidi Considers Trespass in Cyberspace
: Article covering a case dispute
between Intel and a former employee using Intel's email system to
contact former employees. The text is very readable and
provides an interesting and comparison to the notion of unauthorized access presented in eBay,
Inc v. Bidder's Edge.
Suggested
Readings
Intel v. Hamidi : Full text of the California Supreme
Court 2003 decision an the Intel v. Hamidi appeal.
|
|
|
|
|
November 4 |
Market Incentives and Security
Metrics
Guest
Speaker: Kevin Soo Hoo, Sygate
Lecture Slides
Click here to download lecture slides.
Required Readings
The Role of Economic Incentives in Securing Cyberspace:
Draft
paper authored in part by our guest speaker that examines the
economic incentives of critical infrastructure protection and makes
an argument for a change in direction for national cybersecurity
policy.
A Guide to Security Metrics: Introduction to the important field
of security metrics, from the SANS Institute.
Suggested
Readings
Why Information Security is Hard - An Economic Perspective: An
often cited paper by Ross Anderson on the impact of economic
incentives in information security.
Sarbanes-Oxley Explained: A whitepaper explaining the
responsibility of a company's IT personnel resulting from SOX
legislation.
|
|
|
|
|
November 11 |
Assessing the Threat
Guest
Speaker: Peter Neumann, SRI
Required Readings
Is There a Cybersecurity Threat to National Security : A
compilation and analysis of some of the risks faced by the United States as a result of its
dependence on the Internet. The paper is authored by
Sean Gorman, a graduate student who's thesis of mapping physical
telecommunication lines was classified in a highly publicized
incident. The text contains many interesting references, but the
overall analysis is best read critically.
Nations use
Net to spy, plot attacks: ex-Bush aide : Brief article citing
former cybersecurity chief Richard Clarke talking to concerns about
current malicious use of the Internet by nation-states.
Suggested
Readings
How Real is the
Cybersecurity Threat? : Video of a 2002 panel including members
from the Office of Cyberspace Security, Microsoft, backbone provider
Genuity, Verisign, and a financial services company. Based on
their personal background and experience, each offers a different
perspective of the current threat and who is responsible for
improving the security of the Internet.
Frontline Cyberware! : A well-known and quite dramatic
video created by PBS looking at the threat faced by the United
States in cyberspace. This fun presentation of the cyberthreat
is best viewed critically but does offer worthwhile insights.
The site also contains many worthwhile interviews with experts from
fields related to national security, critical infrastructure
protection and Internet security.
Computer-Related Risks and the National Infrastructure :
Congressional testimony by our guest speaker Peter Neumann.
While the testimony is from 1997, much of the high level content
remains very pertinent today.
|
|
|
|
|
November 18 |
What Do We Want in a Future Information Infrastructure?
Guest
Speaker: David Alderson, CalTech
Lecture Slides
Click here to download lecture slides.
Required
Readings
Critical Information Infrastructure Protection and the Law (Chapter
4) : The text's brief final chapter entitled "Looking
Forward" considers a host of concerns and questions as we consider
how the Internet will evolve in the future, both for users and
operators. Pay particular attention to the discussions of
economics/insurance, the importance of trust, and the relationship
between security and privacy.
GovNet,
What is it good for?
: Wired article looking at another approach: GovNet is a
proposal for the creation of a separate and highly secure network
infrastructure for government use. Consider hat problems this
such a strategy both raises and solves.
Suggested
Readings
Robustness and the Internet: Design and Evolution: A paper
looking at complexity and robustness issues within the Internet
infrastructure and how we can change the architecture to meet future
design requirements.
Cyber Security Research & Development Agenda: The Institute for
Information Infrastructure identifies what it considers to be the
major challenges facing researchers in disciplines relating to
cybersecurity . This is a large document, both is worth
scanning for sections of interest.
|
|
|
|
|
November 22 |
Liability, Negligence and Cyber-Insurance
Guest Speaker: Erin Kenneally, San Diego Supercomputing Center
Lecture Slides
Click here to download lecture slides.
Required
Readings
Stepping on the Digital Scale: Duty and Liability for Negligent
Internet Security : Internet security and legal expert Erin Kenneally provides a strong background in liability law and then
analyzes how major cybersecurity stakeholders may be impacted by
liability in the future.
Suggested Readings
Critical Information Infrastructure Protection and the Law (Chapter
3) : The text's third chapter entitled "Liability for
Unsecured Systems and Networks" looks at the three high-level means
for securing network assets: criminal law, civil law, and
regulation. A particularly valuable portion looks at how best
practices would impact the use of tort law to drive others to secure
their networks.
|
|
|
|
|
December 2 |
Legislative Debate
Final Assignment:
Legislative Policy Analysis (due in class Dec. 2nd)
Case Study 1: Corporate
Information Security Accountability Act of 2003 (CISAA)
Text of Legislation Congressman Adam Putnam. U.S. House of
Representatives. 2003.
"Cybersecurity legislation may go to Congress," Grant Gross.
Computer World. September 2003.
Case Study 2: Internet Service
Provider Security and Accountability Act of 2004 (ISPSAA)
Overview of Legislation The Honorable Senator Daniel Keith
Martin. U.S. Senate in Exile. 2004.
|