CS 3710: Intro to Cybersecurity (slides): Intro to Cybersecurity

# Intro to *Intro to Cybersecurity*
## CS 3710: Intro to Cybersecurity

===

## Why cybersecurity?

---

## Why cybersecurity?

Electronic systems are pervasive in our personal and professional lives. We use
them to store all kinds of confidential information; to express ourselves and
connect with one another; to manage our health, our finances, and much more.

---

## Why cybersecurity?

From a defender's perspective, cybersecurity is about

- _**accurately identifying and assessing**_ the risks that you face, and
- building a _**practical plan**_ that allows you to appropriately _**mitigate
  and respond to those risks**_.

</div>

From an attacker's perspective, it's about _**obtaining and leveraging
access to systems**_ to attain various operational objectives.

</div>

notes:

Security = Cybersecurity

---

## WannaCry

</figcaption>
</figure>

notes:

WannaCry was a ransomware strain that infected hundreds of thousands of systems
around the world in May 2017.

WannaCry exploited a vulnerability known as EternalBlue in Windows' SMB (Server
Message Block) protocol. It encrypts all of the data on a machine and then tries
to spread to other machines on the same network. It leaves a ransom note saying
that all of the data on the machine would be left irrecoverable unless the
victim paid a ransom (there are no known cases where people got their data back
from paying the ransom).

One of the most heavily impacted organizations was the United Kingdoms' National
Health Service (NHS), which runs the UKs' publicly-funded healthcare system. As
many as 70,000 devices in NHS hospitals were infected, which included computers
containing patients' informatoin and medical systems.

References:
- [Wikipedia page on
  WannaCry](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack)
- [BBC article on NHS impact](https://www.bbc.co.uk/news/health-39899646)

---

## Equifax data breach

*Source: Federal Trade Commission*

</figcaption>
</figure>

notes:

In 2017, Equifax (a credit reporting agency) was hacked, leaking private records
from almost 150 million Americans.

The breach started in May 2017 when hackers discovered that Equifax had failed
to patch a severe vulnerability in the web framework Equifax was using. The
attackers got access to Equifax's internal network and leveraged that to obtain
credentials for Equifax's database. The attackers slowly exfiltrated data off of
the Equifax servers to avoid detection, and Equifax didn't notice the attack
until two and a half months later.

In addition to exploiting Equifax's slowness to patch security vulnerabilities,
it turned out that Equifax was missing many other key preventative measures that
could have helped to impede the attack.

- Poor network segmentation that allowed the attackers to easily pivot into
  Equifax's internal network.
- Lack of breach detection mechanisms, which gave the attackers a lot of time to
  pull data off of Equifax's servers.

Some of the results of the breach:

- First/last names, SSNs, birthdays, addresses, and drivers license numbers for
  about 150 million people in just the US.
- Credit card numbers for 209,000 people, and dispute documents with PII for
  182,000.

References:
- [Wikipedia page on the Equifax data
  breach](https://en.wikipedia.org/wiki/2017_Equifax_data_breach)
- [FTC settlement
  info](https://consumer.ftc.gov/consumer-alerts/2019/07/equifax-data-breach-settlement-what-you-should-know)

---

## Ashley Madison hack

*Source: Ashley Madison*

</figcaption>
</figure>

notes:

Ashley Madison is a website for adults looking to engage in affairs outside of
their marriages. It was hacked in July 2015, and a dump of > 60GB of data was
leaked to the public.

Some of the fallouts:

- People who committed suicide after their name was published in the leak.
- People having to flee countries where homosexuality is punishable by death.
- Also people who weren't actual users of Ashley Madison whose lives were
  ruined. Ashley Madison didn't require users to verify their email account, so
  it was common for people to sign up with email addresses that didn't belong to
  them.

References:
- [Ashley Madison data
  breach](https://en.wikipedia.org/wiki/Ashley_Madison_data_breach)
- [Wired article on the fallout of the Ashley Madison
  breach](https://www.wired.co.uk/article/ashley-madison-have-i-been-hacked)
- [A Guardian article on the
  fallout](https://www.theguardian.com/technology/2016/feb/28/what-happened-after-ashley-madison-was-hacked)

---

## Impacts on UVA

</figcaption>
</figure>

notes:

Attackers used a phishing scheme to obtain credentials for some UVA employees in
2016. Some of the information that was stolen included W-2 tax forms for
employees and direct deposit bank records.

References:
- [WaPo
  article](https://www.washingtonpost.com/news/grade-point/wp/2016/01/22/phishing-hack-at-the-university-of-virginia-compromises-employee-computer-records/)

---

## Stalkerware

</figcaption>
</figure>

notes:

Cybersecurity can also be relevant at a personal level.

Stalkerware is a type of malware that domestic abusers can install on their
partner's on relatives' phones to track everything that the phone is doing.

This malware can be really difficult to detect (especially if you don't have a
background in mobile security) and can be extremely invasive. Some of the
information it collects includes

- your current location via GPS
- any phone conversations that you have
- all text messages that you send and receive
- all of your emails
- record ambient sound and conversations you have in the real world through your
  phone's microphone.

References:
- [Motherboard overview of
  stalkerware](https://www.vice.com/en/article/nejmnz/when-technology-takes-hostages-the-rise-of-stalkerware)
- [Case study, also from
  Motherboard](https://www.vice.com/en/article/bmbpvv/i-see-you-a-domestic-violence-survivor-talks-about-being-surveilled-by-her-ex)

---

## Stalkerware

*Source: Wired*

</figcaption>
</figure>

</div>
<div class="col">

</figcaption>
</figure>

</div>
</div>

notes:

Addendum: In some cases, stalkerware is just a thinly-repackaged of spyware used
by governments against dissidents. That is: malware that was developed and
deployed by security engineers for governments has also been used to help
domestic abusers perpetrate violence against their partners.

References:

- [Motherboard series on
  stalkerware](https://www.vice.com/en/topic/when-spies-come-home)
- [Wired article on Eva Galperin +
  stalkerware](https://www.wired.com/story/eva-galperin-stalkerware-kaspersky-antivirus/)
- [Eva Galperin TED talk](https://youtu.be/xzWFrHHTrs8) (good place to start
  might be ~6:25)

===

## CIA triad

The _**CIA triad**_ is a common model for assessing the security of a system.

"CIA" stands for _**confidentiality**_, _**integrity**_, and _**availability**_.

</div>

---

## CIA triad

_**Confidentiality:**_ is sensitive data kept private?

</div>

_**Integrity:**_ are data or systems being tampered with?

</div>

_**Availability:**_ are users able to access systems?

notes:

Good summary of the CIA triad:
https://www.fortinet.com/resources/cyberglossary/cia-triad

</div>

===

## Cyber kill chain

From the attacker's perspective, the _**cyber kill chain**_ is one common model
of offensive operations.

</div>

</div>

notes:

(Not sure the juxtaposition of CIA triad / cyber kill chain makes much sense;
the former is a model for assessing security posture whereas the latter is a
model of operation flow.)

---

## Cyber kill chain

_**Reconnaissance:**_ gather information about a target

</div>

_**Weaponization:**_ create an attack vector to exploit a vulnerability

</div>

_**Delivery:**_ launch the attack against the victim

</div>

_**Exploitation:**_ execute malicious payloads within the victim's system

</div>

</div>

---

## Cyber kill chain

_**Installation:**_ install malware onto the victim's system

</div>

_**Command & Control (C2):**_ use malware to take control of a device and move
laterally across the network

</div>

_**Actions on objectives:**_ using footholds achieved in the previous steps,
the attacker carries out their intended goals

</div>
</div>

</div>

===

## About this class

---

## Course objectives

- Understand the attacker's perspective: offensive operations, vulnerabilities
  and exploits, malware development, etc.

- Learn defensive techniques: cryptography, networking, system administration,
  monitoring, etc.

This course is intended to help software engineers learn a security mindset, and
prepare security engineers by giving them the tools they need to tackle
real-world cybersecurity problems.

---

## Resources

_**Course website:**_

[https://cs3710.kernelmethod.org/](https://cs3710.kernelmethod.org/)

</div>

The course schedule (with due dates) is on the website. The schedule may be
shifted around to help accommodate the pace of the course.

The syllabus will also be uploaded to Collab.

---

## Resources

_**Office hours:**_ office hours with the TAs are still being finalized. I will
be holding individual office hours from 11am - noon on Tuesdays.

_**Discord:**_ I will send out an invitation soon to join the Discord for the
class.

- Email and Discord are probably the easiest ways to get in touch with me
  outside of office hours.

---

## Class information

_**Prerequisites:**_ CS 2150 or CS 3100 with a grade of C- or higher

You should also be familiar with (or able to teach yourself) Python for the
programming assignments.

_**Times:**_ MoWeFr 1:00pm - 1:50pm

_**Location:**_ Olsson Hall 120

_**Grading breakdown:**_ 100 points total

- _Homework (labs, programming assignments):_ 9 points/assignment
  - The two lowest homework assignments will be dropped.
- _Lightning talk:_ 9 points
- _Midterm:_ 14 points
- _Final:_ 14 points

---

## Homework: labs & programming assignments (63 points)

There will be 7 labs and 2 programming assignments; each one is worth 9 points.

Assignments will be due on Fridays by 11:59pm; see the course schedule for more
info.

_**Late policy:**_ all assignments, *excluding Lightning Talks*, may be
submitted late up to three days after the due date, without penalty. Assignments
submitted after the three-day deadline will not be accepted.

---

## Lightning talks (9 points)

Each student will be responsible for recording one 5-10 minute _**lightning
talk**_ on a cybersecurity-related topic of their choice at some point during
the semester. Example topics:

- a tool;
- a historical event;
- a specific vulnerability;
- a strain of malware;
- and more! Ask the instructor / TAs if you need help finding an idea.

---

## Lightning talks (9 points)

There will be a sign-up sheet for you to do a video recording of your talks for
Fridays throughout the semester. Selected talks will be presented in-class.

You only need to submit a lightning talk for the date you sign up for. Lightning
talks must be submitted two days before the date. E.g., if you sign up to
present on Sep. 9th, you must submit your talk by 11:59PM on Sep. 7th.

---

## Midterm and final (14 points each)

There will be two exams during the course, a midterm and final, that are each
worth 14 points.

The midterm will cover the first half of the course and the final will cover the
second half. Each will be run in a CTF-style environment where you will have to
accomplish offensive and defensive objectives for points.

---

## Reading materials

There is _**no textbook**_ for the class.

Some of the homework assignments may require you to do some reading from various
(free) online resources.

---

## Honor policy

All assignments are individual assignments.

Discussion is okay, but solutions and code must be yours and yours alone. You
may not copy solutions, and you may not share them until grades have been handed
back to you.

Please make sure you have read and understand [UVA's honor
code](https://honor.virginia.edu/), which you are expected to follow for the
class.

---

## Honor policy

In addition, you are expected to respect guidelines on what machines you can
attack and information you can access during the class.

If you try to attack or exploit any systems that haven't been explicitly
allowed, you can face criminal prosecution, in addition to the University
Judiciary Committee and impacts on your grades.

(We'll discuss this more in a moment.)

---

## Sensitive topics

All areas of computing can have adverse effects in the real world. But among all
areas of computing, the adverse impacts of cybersecurity are some of the most
directly and immediately felt.

</div>

This class may occasionally touch on sensitive topics, including
spyware/stalkerware, CSAM, and so on.

My goal is to make this a safe learning environment for all students. If you
feel uncomfortable with any of the material being presented please let me know
and I can adjust my slides appropriately.

</div>

===

## Who am I?

---

## Who am I?

_**Name:**_ Will Shand (please call me Will!)

_**Email:**_ [wss2ec@virginia.edu](mailto:wss2ec@virginia.edu)

I'm a PhD student in the department, doing research in cryptography and machine
learning.

I worked in the security industry before coming to UVA.

I'm also a co-organizer of [BSides Boulder](https://bsidesboulder.org), which is
an annual security conference held in Boulder, CO.

</div>

</div>

===

## Who are you?

---

## Who are you?

- You want to learn more about security engineering, from either a defensive or
  offensive point of view.

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index="1">

- You're interested in learning about security as a part of system
  administration and the software development cycle

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index="2">

- You want to learn how to protect yourself from cybersecurity threats in your
  day-to-day life.

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index="3">

- You're trying to fill out your credit requirements for your degree (fair
  enough)

</div>
<div class="fragment fade-in" data-fragment-index="4">
<div class="fragment strike" data-fragment-index="5">

- You want to do cybercrime

</div>
</div>

---

## Security ethics

The first half of this class will teach you basic techniques for exploitation,
C2, and persistence. You'll get a high-level overview of the lifecycle of
offensive operations, and your first programming assignment will be to write
your own malware.

</div>
<div class="fragment fade-in" data-fragment-index="1">

This is all to say, you'll learn a lot about doing crime with computers.

I can't stop you from using your powers for evil, but generally wouldn't
recommend it unless you're willing to risk multiple years in jail and/or
hundreds of thousands of dollars in fines.

</div>

---

## Security ethics

<figure>
  <img src="../../img/intro/mangopdf_cybercrime.webp"style="max-height: 60vh;">
  <figcaption>
  
*Source: [@mangopdf](https://twitter.com/mangopdf/)*

</figcaption>
</figure>

notes:

[Original tweet](https://twitter.com/mangopdf/status/1285413781862940672)

[Presentation from
mangopdf](https://docs.google.com/presentation/d/1PJuPAIzpfdMrQvW56KTgsl3DC_xbQ9qvcG6xaNQ3mI8/edit#slide=id.g8db5102f2e_1_113)

---

## Security ethics

In general, unless you've been given _explicit permission_:

- don't try to gain access to a system you don't own, and
- don't try to access any information that is not directly and publicly
  available.

You can be prosecuted for computer fraud even if you had no malicious intent.

On systems that you *have* been given permission to attack, you are required to
respect any provided limitations or boundaries.

The course website, and any services under the
[virginia.edu](https://www.virginia.edu) domain, _**are not**_ permitted
targets.

===

## Linux basics

---

## Intro to Linux

The _**Linux kernel**_ is an open-source operating system kernel based on Unix.

"Linux" is usually used to refer to both the kernel as well as the family of
operating systems built on top of it. Popular Linux distributions include

- Debian
- Red Hat Enterprise Linux
- openSUSE
- Ubuntu

</div>

Tux, the Linux mascot

</div>

---

## Why Linux?

- Linux-based operating systems hold the largest market share in most areas of
  computing other than desktop/laptop computing.

</div>

- Linux knowledge partially transfers over to other Unix-based operating
  systems, e.g. macOS, iOS, FreeBSD, etc.

</div>
<div class="fragment fade-in-then-semi-out">

- Most of the tools that we'll be discussing and using are supported on Linux
  first, and have less (if any) Windows support.

</div>

notes:

Market share stats: Linux runs on
- 96% of web servers
- 79% of mobile devices (Android)

Worth noting that Linux is not really meaningfully more secure than Windows.
Comparisons between the two are difficult -- the latter has been more of a
target for malware in the past, but in the last few years attacks on Linux
systems have grown significantly.

References:
- [Linux market
share](https://en.wikipedia.org/wiki/Linux#Market_share_and_uptake)

---

## Kali Linux

_**Kali Linux**_ is a Linux distribution for digital forensics and security
auditing.

We'll be using it a lot in this class (especially in the first half) because
it's convenient and has all the tools we need pre-installed.

</div>

*Source: Offensive Security*

</div>
</div>

===

## Virginia Cyber Range

notes:

[Link to VCR](https://www.virginiacyberrange.org/)

---

## Virginia Cyber Range

The [Virginia Cyber Range](https://www.virginiacyberrange.org/) is
infrastructure provided by the state of Virginia to provide virtual environments
for students learning cybersecurity.

---

## Virginia Cyber Range

You will need access to a Linux environment for most of the labs and programming
assignments in this class. You will also need to be able to use various tools
like [Wireshark](https://www.wireshark.org/) and [John the
Ripper](https://en.wikipedia.org/wiki/John_the_Ripper).

I _highly_ recommend either signing up for Cyber Range, or creating a Kali Linux
virtual machine. Setting up a VM can be challenging if you haven't done it
before and can run into various issues based on your hardware, so the teaching
team will primarily be providing support for enrollment in VCR.

---

## Signing up for VCR

---

## Linux crash course

Most of your interaction with Linux is going to be through a terminal. In VCR /
Kali, you can start up a terminal by pressing the "Terminal Emulator" icon in
the top left corner.

You can also press the Kali icon and search "Terminal Emulator".

</div>
  <div class="col">

</figcaption>
</figure>

</figcaption>
</figure>

</div>
</div>

---

## Linux crash course

In the terminal, you will be presented with a prompt that looks something like
the following:

```bash
student@kali:~$
```

From here you can run various commands to interact with the machine. Some basic
commands include:

- `echo`: print something to the terminal output

</div>

```bash
student@kali:~$ echo "hello, world!"
hello, world!
```

---

## Linux crash course

- `whoami`: prints the name of the user you are currently logged in as

</div>

```bash
student@kali:~$ whoami
student
student@kali:~$ whoami
```

---

## Linux crash course

- `pwd`: print the directory that you are currently in
- `mkdir`: create a new directory (folder)
- `cd`: change directory

</div>

<pre>
<code class="bash" data-trim
  data-line-numbers="1-9|1-2|3-4|5-6|7-9"
  data-fragment-index="1">
student@kali:~$ pwd
/home/student
student@kali:~$ mkdir my_directory
student@kali:~$ cd my_directory
student@kali:~/my_directory$ pwd
/home/student/my_directory
student@kali:~/my_directory$ cd ..
student@kali:~$ pwd
/home/student
</code>
</pre>

`pwd` tells us what directory we're currently in

</div>
  <div class="fragment fade-in-then-out" data-fragment-index="2">

`mkdir` creates a new directory, `/home/student/my_directory`

`cd` allows us to "move into" the directory

</div>
  <div class="fragment fade-in-then-out" data-fragment-index="3">

`pwd` tells us we're now in `/home/student/my_directory`

</div>
  <div class="fragment fade-in-then-out" data-fragment-index="4">

`cd ..` moves us into the "parent directory", i.e. the directory "right above"
the one we're currently in.

In our case, the parent directory is `/home/student`

</div>
</div>

notes:

Specifically, `cd` allows us to change the current working directory using the
`chdir` syscall

---

## Linux crash course

- `man <command>`: check the man ("manual") pages for information on a command,
  function, etc.
- `man -k <search_term>`: search for a given term in the man pages
  - Useful when you aren't exactly sure what you're looking for!

You can also often get information about a comand by running `<command> --help`,
  e.g. `pwd --help`.

</div>

</figcaption>
</figure>

---

## Linux crash course

Some tips:

- Refer to the man pages often, and explore what information you can find using
  `man -k`
  - When there's info missing from the man pages, you can often find it on
    StackOverflow instead :)

</div>
<div class="fragment fade-in-then-semi-out" data-fragment-index="0">

- Tab completion: you can reduce the amount of typing by pressing `Tab` to
  finish a command. If there are multiple possible completions, `Tab` will print
  them out.

</div>
<div class="fragment fade-in" data-fragment-index="1">

- The `clear` command can be used to clear the terminal output (you can often
  press `Ctrl + L` as well)

</div>
</div>

===

## Lab 1