csc5930/9010 - Offensive Security

Instructor: Dr. Henry Carter (henry.carter 'at' villanova.edu)
Meeting Times: T 18:15-21:00
Location: Mendel Hall G92
Credits: 3
Prerequisites: CSC 2405 and perseverance
Office: Mendel 162A, (610)519-5412
Office Hours: MW 16:30-18:00, T 14:00-16:00, or by appointment
Webpage: http://www.csc.villanova.edu/~carterh/Courses/offsec/sp19/index.html
Schedule: click here
TA: TBD
TA office hours: TBD

Overview

Hacking computer systems and networks has been widely discussed in today's news and has been dramatized in entertainment as an activity for criminals and misfits. However, the vast majority of the public has no concept of how breaches are performed in practice. In this course, students will learn in a hands-on lab setting about the underlying computing concepts behind breaking a system, the techniques that are used, and tools that allow these hacks to be carried out. In addition, this course will delve into the ethical impact of real-world breaches, and will discuss techniques that could have been applied to mitigate the attacks. Finally, the course will examine ways that students can apply their knowledge of hacking for positive uses that improve the security of the Internet and could lead to careers in cybersecurity. If you are curious about what hacking really looks like and enjoy solving challenging puzzles, this course is for you.

Technical topics covered include program control flow analysis, basic code exploitation, network observation, network protocol attacks, developing exploit code, intelligence gathering, web application vulnerabilities, lateral movement, privilege escalation, physical security, device hacking, basic cryptography, social engineering, and physical security.

The course objectives are:

  • Students will demonstrate an understanding of the most common hacking techniques used by cyber criminals and how they are exploited.
  • Students will know what common tools are used to carry out cyber attacks, as well as what tools are used to defend against them.
  • Students will be able to execute basic attacks in realistic IT environments, and be able to analyze new vulnerabilities that they have not seen previously.
  • Students will be able to articulate the ethical impacts of real-world breaches and will be able to describe the most common defensive technology used both prior to and during a cyberattack.

Most of the course readings will come from the following book, with additional resources assigned as required readings.

  • Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson, (No Starch)

In addition, the following book provides optional reference material for many of the tools we will be studying in the course.

  • The Hacker Playbook 2: Practical Guide To Penetration Testing by Peter Kim, (Amazon)

A detailed list of lectures, readings, assignments, due dates (subject to change as the semester evolves) is available on the course schedule.

Grading

Students will be evaluated based on the following breakdown:

  • 20% Quizzes and exercises
  • 30% Exams
  • 20% Course project
  • 15% Ethical studies
  • 10% End of semester CTF
  • 5% Class participation

Scale: 70 ≤ C < 77 ≤ C+ < 80 ≤ B- < 84 ≤ B < 88 ≤ B+ < 90 ≤ A- < 94 ≤ A

Exam

The course will include one midterm and one final exam. Students will be responsible for material covered both in the readings AND lectures. Attendance is therefore recommended as not all class discussions will be covered in the text.

Quizzes

Quizzes will be given weekly at the beginning of class and will cover topics from the assigned readings. It is required that students do the reading prior class, as a good percentage of their grade will depend on them. Quizzes missed because of absences can not be made up unless arrangements are made with the instructor prior to the course meeting.

Ethical Studies

Periodically, students will be assigned reading on a real-world breach and will be required to complete a worksheet documenting the technical details, ethical impacts, and economic outcomes of each breach. These worksheets will be discussed in-class and will be graded for clarity and comprehensive coverage by the professor.

Project

The main deliverable of the course is the term project. Students will be expected to work alone or in pairs and will have the option to choose from one of the three following project options:

  • Identify a vulnerable application that is used in practice and develop an exploit that can be demonstrated for the class in a virtual environment.
  • Develop a tutorial for using a security tool that was not covered in class.
  • Develop an in-class lab exercise for future offerings of the course.
All projects will culminate with a written report as well as a short in-class presentation.

The project grade will be broken down into the following components:

  • 10% Project topic selection
  • 30% Final presentation
  • 60% Final report

All class assignments and project milestones are assessed a 15% per-day late penalty, with a maximum of 3 days, after which the assignment will not be graded. Students with legitimate reasons who contact the professor before the deadline may apply for an extension.

End of semester CTF

The final course period will be dedicated to a competitive capture the flag (CTF) competition that will allow students to apply their skills in a competitive environment. Winning the contest is not required to get a good grade, as students will be graded on this portion of the course based on a demonstrated understanding of how to apply course materials in an unguided exercise.

Class Participation

To do well in this course, students must take active and regular roles in discussion and demonstrate comprehension of the reading and lecture themes. Students are required to do the assigned reading before class. This will be closely monitored by the professor, thereby making a student's ability to demonstrate their comprehension of material essential to a receiving a passing grade.

Disabilities and Learning Support

It is the policy of Villanova to make reasonable academic accommodations for qualified individuals with disabilities. You must present verification and register with the Learning Support Office by contacting 610-519-5176 or at learning.support.services@villanova.edu. Accommodations cannot be made until verification is delivered to the professor, and cannot be enacted retroactively. For physical access or temporary disabling conditions, please contact the Office of Disability Services at 610-519-4095 or email Stephen.mcwilliams@villanova.edu Registration is needed in order to receive accommodations.

Academic Integrity Policy

All students are expected to uphold Villanova's Academic Integrity Policy and Code. Any incident of academic dishonesty will typically result in an "F" for the assignment and will be reported to the appropriate university officials. See the statement of the full policy on the Graduate Arts and Sciences website. You can view the Academic Integrity Policy and Code, as well as other useful information related to writing papers, at the Academic Integrity Gateway web site

Absences for Religious Holidays

Villanova University makes every reasonable effort to allow members of the community to observe their religious holidays, consistent with the University’s obligations, responsibilities, and policies. Students who expect to miss a class or assignment due to the observance of a religious holiday should discuss the matter with their professors as soon as possible, normally at least two weeks in advance. Absence from classes or examinations for religious reasons does not relieve students from responsibility for any part of the course work required during the absence. See the full University policy here.