Gini Khalsa

office hour - email

TPM: trusted platform management

SDLC - Security/system/software development Life Cycle

Encryption

40bit - 128bit

packets de-crypted

read content to come up with solution

who - how - what to do - why - how much -

ISO -

Module 1: Hardware Architecture

Those who cannot remember the past are condemned to repeat it. by George Santayana, 1905

Video

John Hennessy and David Patterson 2017 ACM A.M. Turing Award Lecture

1. History of Architecture - Mainframes, Minicomputers, Microprocessors, RISC vs CISC, VLIW

Software talks to hardware through a vocabulary called an instruction set architecture (ISA). By the early 1960s, IBM had four incompatible lines of computers, each with its own ISA, software stack, I/O system, and market niche—targeting small business, large business, scientific, and real time, respectively. IBM engineers, including ACM A.M. Turing Award laureate Fred Brooks, Jr., thought they could create a single ISA that would efficiently unify all four of these ISA bases.

2. Current Architecture Challenges Ending of Dennard Scaling and Moore’s Law, Security

3. Future Architecture Opportunities Domain Specific Languages and Architecture, Open Architectures, Agile Hardware Development

Readings

1. Hennessy, J. L. & Patterson, D. A. (2019). ACM Turing Lecture & article.

binary - bit

software

sys software

app software

hardware - equipment

firmware - bios (basic input and output sys) - pass over to operating sys

key logger

microsoft hwl

Module 2: Operating System

1. What is MS-DOS?

• MS-DOS = Microsoft Disk Operating System.
• Developed and released by Microsoft in 1981.
• It is a command-line interface (CLI) operating system, where users interact with the computer by typing commands rather than using a graphical interface.
• Extremely popular in the 1980s and 1990s on IBM PC-compatible machines, and served as the foundation for early versions of Windows.
• Typical commands included:
  • dir → list directory contents
  • cd → change directory
  • copy → copy files

2. What is NetBEUI?

• NetBEUI = NetBIOS Extended User Interface.
• Originally developed by IBM in 1985 for local area networks (LANs). Later, Microsoft adopted it in early Windows networking.
• It is a non-routable protocol: it works only within a single LAN and cannot be used across routers or the Internet.
• Strengths: fast, lightweight, and simple for small networks.
• Weaknesses: no routing capability, no scalability for large or distributed networks.
• NetBEUI has been largely replaced by TCP/IP, which is universal and supports routing.

3. VirtualBox and Virtual Machine Access

• VirtualBox is a virtualization software that allows a host machine (the physical computer) to run one or more virtual machines (VMs) as guests.
• Accessing another computer (or VM):
  • VirtualBox supports different network modes such as NAT, Bridged Adapter, and Host-Only Adapter.
  • These allow the VM to communicate with the host machine, other VMs, or external networks.
• Server and Client roles:
  • A Server provides resources (files, applications, or services).
  • A Client requests and consumes these resources.
  • In OS labs, it is common to configure one VM as a server and another as a client to simulate networked systems.

4. Directory Authorization and File Sharing

• Directory access control:
  • Operating systems allow read-only or read/write permissions to shared directories.
  • This is similar to Google Docs permissions: some users may only view, while others can edit.
• File sharing risks:
  • If permissions are too broad, any user may modify or delete files, leading to potential data loss or tampering.
  • In VirtualBox, the Shared Folders feature allows the host to expose a folder to the guest VM, with configurable read/write access.

5. Network Connectivity and Synchronization

• Connecting to a network:
  • When multiple machines (physical or virtual) are on the same network, they can access shared resources such as folders or printers.
  • “Hang syncly on two computers” → refers to two machines being synchronized by sharing the same network folder.
• File editing synchronization issues:
  • If two computers edit the same shared file at the same time, and there is no version control system (e.g., Git, SVN), one user’s changes may overwrite another’s.
  • Without logging or tracking, it is impossible to know who modified the file and when, making auditing difficult.

6. Security and Authentication

• No-key access in older networks:
  • In some legacy or simple LAN environments, any computer on the same network could access shared resources without additional authentication.
  • This posed serious risks: unauthorized users could read, edit, or delete files.
• Modern security practices:
  • Use SSH keys, Kerberos, or LDAP to enforce strong user authentication.
  • Implement audit logs to record who accessed or modified resources.
  • Adopt version control systems (e.g., Git, SVN) to ensure changes are tracked and recoverable.
  • Restrict access with principle of least privilege (users only get the minimum permissions they need).

Final Summary

These notes connect several fundamental topics in operating systems and computer networking:

• MS-DOS introduced the command-line era and shaped early PC operating systems.
• NetBEUI was an early LAN protocol, later replaced by the more robust TCP/IP standard.
• VirtualBox provides a controlled environment to simulate client-server interactions and networking.
• Directory permissions and file sharing highlight how operating systems manage resources and the associated risks.
• Network connectivity and synchronization show how data consistency issues arise in shared environments without version control.
• Security and authentication are critical to protect systems from unauthorized access and to ensure accountability.

从操作系统到网络的入门全景笔记

一、从单机到联网：为什么需要抽象和分层

在最早的计算机时代，每台机器都是“孤岛”，操作系统（Operating System, OS）主要负责管理物理机（Physical Machine） 的 CPU、内存、磁盘。比如 1981 年微软推出的 MS-DOS (Microsoft Disk Operating System)，它是典型的命令行界面（Command-Line Interface, CLI） 系统：用户只能在黑屏里敲命令 dir、copy 来管理文件。那时的世界几乎没有“联网”一说。

随着 1970 年代以太网（Ethernet）和 TCP/IP 的兴起，计算机开始互相交流。可是通信这事儿很复杂：有的人要发邮件，有的人要传文件，有的人要看网页……要让全世界的机器都能理解彼此，就得有一个分层模型：每一层只负责自己的一部分工作，并把结果交给上下层。这就是 OSI 七层模型（教学标准）和 TCP/IP 四层协议栈（工程现实）的来历。

分层的价值就像寄快递：

• 物理层（L1）＝道路，把货车开出去；
• 数据链路层（L2）＝门牌号，用 MAC 地址确认同一条街上的哪一户；
• 网络层（L3）＝城市地址，用 IP 地址决定往哪个城市送；
• 传输层（L4）＝快递箱号，用 **端口号（Port）**决定送到主机上哪个应用；
• 应用层（L7）＝快递里的物品，比如网页、视频或聊天记录。 就这样，一条 HTTP 请求，其实是“套娃打包”：应用数据被一层层加上 TCP 头、IP 头、MAC 头，最后化作比特流在物理介质上传输。

二、为什么要有“包”：从电路交换到分组交换

在传统电话系统里，用的是电路交换（Circuit Switching）：打电话时要建立一条独占线路，你沉默不说话时这条线路也不能给别人用。浪费大、脆弱、扩展难。

互联网采用了分组交换（Packet Switching）：数据被切成一个个包（Packet），每个包就像带地址的快递，独立走网络，到了目的地再组装起来。这种方式有三大优势：

1. 多人共享链路，提高效率；
2. 某个包丢了只需重传那一个，健壮性更好；
3. 网络设备只要处理固定大小的包，扩展性强。

因此，当你敲 ping 8.8.8.8 时，其实是操作系统在发一个 ICMP 包（Internet Control Message Protocol） 去问“在吗？”。对方机器收到后会回一个包“我在”。你屏幕上看到的往返时间就是这两个包跑了一来一回所花的时间。

三、局域网与 NetBEUI：早期小范围的沟通

局域网（Local Area Network, LAN） 就是一群物理上或逻辑上接在同一广播域（Broadcast Domain） 里的机器。它们可以直接用 MAC 地址互相通信，就像在同一个小区喊话。

1985 年，IBM 开发了 NetBEUI (NetBIOS Extended User Interface)，专门为小型 LAN 设计。它简单高效，但最大问题是不可路由（Non-routable）：包只能在本小区传，跨一个路由器就到不了。这意味着要么机器都插在同一个交换机/路由器里，要么压根通信不了。

今天，这个角色早就被 TCP/IP 协议族取代，因为 IP 包可以跨网段、跨路由、甚至跨地球。但 NetBEUI 的历史价值在于，它让人们第一次体会到“内网文件共享”的便利，也帮我们理解“为什么需要路由”。

所谓路由（Routing），就是在网络层利用 IP 地址和路由表（Routing Table）决定“下一跳（Next Hop）”该往哪里走，让包不再局限于同一个广播域，而是能跨越不同子网。如果说 NetBEUI 就像在一个小区里大声喊话，只有邻居能听见，那么路由器（Router）就是邮政系统的分拣中心，它能根据地址把包裹送往另一个小区、另一座城市，甚至跨越大洲。正是因为有了路由，互联网才真正实现了全球互联。

四、虚拟化与虚拟网卡：如何在一台机器里造出另一台

在 1960s 的 IBM 大型机上，虚拟化（Virtualization）被发明出来，是为了让一台昂贵的物理机服务更多用户。Hypervisor（虚拟机监控器）就是中间的魔术师，它把 CPU/内存/磁盘抽象出来，分配给一台台“虚拟机（Virtual Machine, VM）”。

以 Oracle 的 VirtualBox 为例，它是典型的 Type-2 Hypervisor，装在宿主机（Host）上，里面运行来宾系统（Guest OS）。对 Guest 来说，它看到的 CPU、磁盘、网卡都像真的一样，但其实这些都是虚拟出来的。

其中最重要的就是虚拟网卡（Virtual Network Interface Card, vNIC）。它在 Guest 里表现为一块标准“网络适配器（Network Adapter）”，有自己的 MAC 地址，能拿到 IP 地址。在 Host 一侧，这块 vNIC 被接入 虚拟交换机（Virtual Switch, vSwitch），再通过宿主的物理网卡走向外部网络。

五、VirtualBox 的三种常见网络模式

你在 VirtualBox 里配置“Adapter 1 / Adapter 2 …”时，其实就是在给虚拟机添加 vNIC，并决定它插在哪个“逻辑网络”里。

• NAT (Network Address Translation)：来宾和宿主共用一个对外出口，对外只看到宿主机。Guest 能上网，但外界不能直接访问 Guest。要让外界访问，需要设置端口转发（Port Forwarding）。
• Bridged Adapter（桥接模式）：Guest 拥有一个和宿主机同一网段的独立 IP，直接暴露在 LAN 中，和物理机地位完全相同。
• Host-Only Adapter（仅主机模式）：Guest 只和宿主机互通，对外完全隔离，适合做私有实验。

理解 OSI 层后，这三种模式就好懂了：

• 桥接 = 给 Guest 一块真正能在二层广播域里喊话的网卡；
• NAT = Guest 的 IP 被藏在宿主机后面，靠三层网络的“翻译”出去；
• Host-Only = 建立一个只包含 Host 与 Guest 的小广播域。

六、共享目录与安全性：谁能开门、谁能改文件

虚拟机里常见的共享方式有两种。第一种是 VirtualBox 提供的共享文件夹（Shared Folder），把宿主的目录直接挂载进 Guest，可以设置为只读或读写。第二种是走网络协议，比如 Windows 用 SMB、Linux 用 NFS，把文件夹发布成网络共享。

风险在于，如果权限控制不严，“谁都能写”，就容易被误删或恶意篡改。而且如果没有版本控制工具（Git、SVN），多人同时改同一个文件，往往是后保存的覆盖前保存的。现代的解决方案是两条路：一是用版本控制系统记录历史、允许回滚；二是用 Google Docs、Office 365 这样的协作编辑服务，由服务器负责冲突解决与修订历史。

七、认证与安全：从“插上线就能用”到“零信任”

在早期的内网，常常是“插上线就能访问”，没有身份验证，也没有细粒度权限。今天的安全理念强调“最小权限原则（Principle of Least Privilege）”和“零信任（Zero Trust）”。

开发者最常见的安全工具是 SSH (Secure Shell)：在客户端生成一对密钥，把公钥放在服务器上，私钥留在本地，以后登录时就能免密而且安全。企业网络里常用 Kerberos 或 LDAP/Active Directory 来做集中身份认证和单点登录（SSO），这解释了为什么有时你只要登录一次公司账号，就能自动访问内网资源。

回到 VirtualBox 的网络模式：

• NAT 默认最安全，外界进不来；
• 桥接要小心，因为 Guest 就直接暴露在内网；
• Host-Only 是最隔离的，适合做教学实验。

八、总结与记忆路线

1. MS-DOS → 操作系统的“单机命令行”时代。
2. 分层模型（OSI/TCPIP） → 网络需要模块化，包的概念来自分组交换。
3. NetBEUI → 局域网早期的尝试，只能在同一个广播域里喊话。
4. 虚拟化 / vNIC → 一台物理机里造出多台机器，每台都需要自己的网卡身份。
5. VirtualBox 网络模式 → NAT（翻译共用出口）、桥接（独立公民）、Host-Only（小黑屋）。
6. 共享与安全 → 权限与版本控制，避免误删与覆盖。
7. 认证的演进 → 从无验证，到 SSH、Kerberos、零信任。

记忆诀窍：把它想成一段人类“从孤岛到互联网”的故事——
单机 → 小区（LAN） → 城市（IP 网络） → 全球互联网 → 虚拟化复制小区 → 权限与安全保驾护航。

Module 3: Software Security Components

“See the ball, be the ball” is a famous quote from the 1980 movie Caddyshack, spoken by the character Ty Webb (Chevy Chase) to the young caddy Danny Noonan. The advice encourages a state of deep focus and intuition in sports, suggesting one should stop overthinking, let go of self-consciousness, and fully immerse themselves in the moment to become one with the action, like a golf ball in flight.

Discussion: Minimalized OS

What is it? Why? And how to realize it?

inbound rules and outbound rules

examine OS adoption trends

TPM - bitlocker

management perspective: identify critical part of your biz

Your view into the future of what these trends mean ot don’t mean for management and security

ask for authorization from higher level - delegated administration (till 1999)

privileged second device - that have the administrative rights (smart card to access the assets; and record everything you do)

what if scenarios and the clients’ requirements?

save all the logs on cloud sever with a infinite storage - what if someone tampered the network thing, the logs don’t push to the central server

Should admin be able to clear all the security without third party’s auditing?

Clear-EventLog -LogName System

When doing the clearing thing you need to move as a snail.

OS short paper

You are the host - you can do the searching and add new information. You don’t need to be Linux System.

Containers

the containers are separated from the OS. Container node 在 容器编排系统（比如 Kubernetes, Docker Swarm） 里，Node 就是运行容器的“机器”。

• 这台机器可以是 物理机，也可以是 虚拟机 (VM)。
• Node 上必须安装容器运行时（Docker、containerd 等），才能运行容器。
• 在云平台文档里，有时会把 专门运行容器的节点（区别于运行别的服务的节点）称作 Container Node。

How to bring it a step forward

SSL certificate - eg. georgetown canvas expire for 1 year

how to ensure AUTHENTICATION of biz and biz communication

SDLC (secure programming in a software development lifecycle)

GDPR

system - computer to the whole thing to the services

design - validate the prototype to match the requirements

tester - you won’t find

data exchanges - attributes; connected to the backend - change the security

Multiply button - logging in application

这节课大部分听不懂的都是名词，他们讨论的例子我不懂。

sigverif

code signing? cost sth.

1. Describe practices and requirements to ensure system security engineering.
2. Demonstrate command of the critical vulnerabilities impacting the web today.
3. Describe the underlying threats and execution methods for the most common vulnerabilities.
4. Analyze the software development lifecycle.
5. Describe isolation characteristics, why they are important at each layer.

net localgroup administrators

net share

control the DNS and redirect you to another domain

SQL injections

buffer overflow - write better code

Module 4: Encryption

device driver

Get-FileHash -Algorithm MD5 test.txt
Get-FileHash -Algorithm SHA1 test.txt
Get-FileHash -Algorithm SHA256 test.txt

Windows tracks every software installed on the computer.

Recap

Risk management? Why should we worry about it?

Everything we do is risk-based.

Encryption

what to encrypt?

• insensitive data

Digital Signature: https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl - National Software Reference Library (NSRL)

NDV: https://nvd.nist.gov/vuln/search#/nvd/home?resultType=records - NVD Vulnerability Search

IP address - IP chicken - show public ip and browser and OS versions(old legacy are not patched)

Why does this matter(http)? For whom it matters?

• Google itself? Advertisers?

Simplest encryption encounters into your mind?

• take a word - Hello + 3 = Khoor - Frequency analysis + The length of the word
• add some random stuff: 40bits - scramble every half binary bytes + random combination of file name characters

Only few parts know the rule of encryption - and no one else knows

make the encryption trustful - nist cavp as the trusting body - this is for the civil side; federal has its own encryption

Anonymity means your identity is never known or linked to your information, providing the highest level of privacy and preventing any connection to individuals.

Confidentiality means your identity is known by the individuals collecting the information, but they promise to protect this information from unauthorized parties, preventing the information from being linked to you in reports or public disclosures.

The key difference is whether your identity is known by anyone at all: if it’s unknown, it’s anonymous; if it’s known but protected, it’s confidential.

SSL, or Secure Sockets Layer, is a security technology that establishes an encrypted connection between a server and a client, preventing data from being stolen or tampered with during transfer. While SSL is the former standard and is largely replaced by its successor, Transport Layer Security (TLS), the terms are often used interchangeably. SSL certificates verify a website’s identity, secure user data during transactions, and are indicated by a closed padlock and an “HTTPS” prefix in a website’s URL.  

How SSL (or TLS) Works

1. Encryption: SSL encrypts data so that only the intended recipient can read it. 

• Data Integrity: It ensures that the data transferred has not been altered. 
• Authentication: It verifies the identity of the website or server the user is communicating with, helping prevent man-in-the-middle attacks.

SSL 3.0 = TSL 1.0

Now SSL 3.0 is expired.

Objectives

1. Describe confidentiality in terms of security considerations and separately privacy.
2. Describe  the applicability of integrity protections in architectural decisions for data, systems, and transport.
3. Identify security services and features used to provide CIA.
4. Apply cryptographic algorithms to solve the appropriate problems.

• certificate, digital signature, verification
• integrity of the message/content - share hashes - encryption (come up with codes)

Assignment

1. Need 3 diagrams - mspaint - authentication, encryption, and digital signatures
2. TLS

Module 5.1: Authentication, Authorization, Access Controls, & Audit

Become CA

YOU can become a CA by setting up the system and choose the algorithm

properties of new template - all the details can be customized

Domain Controller - this is not CA

Stacks

• Microsoft two-tier PKI test lab guide - for reproduce
• gpg4win
• Kleopatra
• aws client vpn tutorial

Why are authentication and authorization so difficult?

work group based authentication

今天的注意力有点太垃圾了，主要是被ssl更新夺走了注意力。

注意下周和下下周都是线上教学。

Module 5.2: Authentication, Authorization, Access Controls, & Audit

we see a real unit server in the data center.

192.168.0.120 - default IP address

password - root user create agent accounts with limited authority

track the ip address with specific account - write or read only

out-of-band network management - this could be a capstone: risk of the products

Assignment 2

flawed assignment - with the specific version of RedFish Specification, evaluate that product/document

Mid-autumn: Jeff is not allergic to peanuts

Module 6: Virtualization, Containers, & Microservices Architectures

PARK metaphor: kerberos

Talk to contoso to get a ticket

Domain Controller???

GENEVE

Hyper-V Manager/VMware …

SERVER1(YOU) — SERVER2(THEM)

Physical hardware - network adapter

VMs - connected to a VSwitch

802.1Q - VLAN(Virtual land)

An IPSec tunnel is a secure connection established over a public network, like the internet, using the IPsec protocol suite to create a virtual private network (VPN).

Wireshark

client capture infomation

motonori shindo GENEVE - geneve protocol

DEFAULT VPC

Nest Communication - VX

nslookup

The DNS server and stuff can be set up when you create a VPC in AWS/azure

learn Windows Sandbox & virtualbox

Universal Serial Bus （英语： 通用序列 汇流排 USB I 电脑 一种 ，缩写： 与 ）是连接 设备 ）连接端口的技术规范，广泛评估个人电脑和 的 序列汇流排标准，也是一种输入输出（ /O 行动装置等资讯通信产品，并扩展至摄影器材、数字电视（ 机上盒 ）、游戏机等其他相关领域。

Module 7: Information Management

Data vs. Info

Raw data:

Mickey
05-20-2002
Grapes
Cheese

With context (info):

On 05-20-2002 Mickey bought grapes and cheese.

Who cares? Dr. Duck; Mickey’s Insurance (Aflac)

cd ~

PS C:\Users\cy> type \windows\win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Function

Information processing - reporting (AI) - find a trend/pattern

On 05-20-2002 Mickey bought grapes and cheese. On 06-28-2002 Mickey bought grapes and cheese. On 07-02-2002 Mickey bought grapes and cheese. (anomaly?) …

or Mickey got a health problem

trend –> forecast | eg. for store, hold a clearance

Analysis: Mickey might inventory grapes and cheese every 30 days.

Microsoft Surface

remembering position by pressure

Structured data vs. Unstructured data

info company

• eicar
• iron mountain

Module 8: Data Centric Security Models

Zach’s Boiled machine

USB stick - boot up

temporal document

UEFI: PMAP

bypass the installation process to open cmd cosole(bad actor would do this) using SHIFT + F10

cls
c:
dir
dir /s /w/b

Explore data and documents - clean USB stick

xcopy *.* \users\Zach\ /s/e/
robocopy - built in Win; useful for research?? 

info system

internal use - Controlled Unclassified Information (CUI) [federal agency used term]

nara - https://www.archives.gov/

US-east-1 - aws website redundancy architecture

1. Multi-AZ (Availability Zone) Deployments:

• Compute: Deploying EC2 instances across multiple Availability Zones (AZs) within a single AWS Region. This protects against the failure of a single data center or AZ.
• Databases: Using Amazon RDS Multi-AZ deployments, where a primary database instance is synchronously replicated to a standby instance in a different AZ. In case of an AZ failure, RDS automatically switches to the standby. 
• Load Balancing: Utilizing Application Load Balancers (ALBs) or Network Load Balancers (NLBs) to distribute traffic across instances in multiple AZs, automatically routing traffic away from unhealthy instances or AZs.

2. Multi-Region Deployments:

• Disaster Recovery: Implementing a multi-Region strategy for disaster recovery, where the entire application or critical components are replicated in a separate AWS Region. This provides protection against regional outages.
• Global Databases: Using services like Amazon Aurora Global Database for multi-Region replication of databases, enabling fast failover and read replica capabilities across Regions.
• Global Content Delivery: Employing Amazon CloudFront to cache content at edge locations globally, improving performance and providing redundancy in content delivery.

3. Redundant Components and Services:

• Storage: Using Amazon S3 for highly durable and available object storage, automatically replicating data across multiple devices and facilities within an AZ.
• Networking: Configuring redundant connectivity, such as multiple VPN tunnels or AWS Direct Connect connections, to ensure continuous network availability.
• DNS: Leveraging Amazon Route 53 with health checks to route traffic to healthy endpoints and automatically failover to alternate resources in case of issues.

3. Automation and Monitoring:

• Automated Failover: Implementing automated failover mechanisms using services like AWS Lambda and CloudWatch Alarms to detect failures and trigger recovery actions.
• Monitoring and Alerts: Continuously monitoring all components of the workload using CloudWatch and other monitoring tools to detect and respond to failures proactively.
• Static Stability: Designing architectures that remain stable and functional even during failures, preventing bimodal behavior where the system behaves differently during recovery than during normal operation.

VPC - lab-rg(resource group)

subnet - spread the risk - don’t choose the same region

eg. us-east-1 has 6 data centers - they backup for each other

Multi-layer security -> Zero Trust

client system directly to the database system? NO!

Client Stand Alone and Server Stand alone – Network

data base stuff (password manager) <-> domain organization stuff

Yubi Key - BYOD(bring yout own device)

portal - DUO mobile/DUO service offline - can’t login to Canvas

phone1,2,3,4; tablet 1,2,3,4…

Do a search: FDA, connect - do work/execute commands - disconnect (or being automatically logged out)

Data centric stuff

root must be be on the localhost; %.killme.net - any machine on this net

terms

• BYOD
• Nessus (Software)
• Yubi Key
• Goofball
• contoso - dummy company created by MS
• DBA database admin

Many websites use 2FA. Some send a code in an email. Some send a code to SMS. YubiKey is a physical 2FA. You keep it on your keychain. Plug it into a comuter and/or scan it wirelessly and unlock a 2FA. Its a physical key to the digital world.

GPG4win - quantum computing - some kind been built up already

MySQL Self-learning

MySQL is one of the world’s most popular open-source databases.

The data within a database are naturally related, for example, a product belongs to a product category and is associated with multiple tags. Hence, we use the term relational database.

In a relational database, we model data like products, categories, tags, etc., using tables. A table contains columns and rows, much like a spreadsheet.

Tables can relate to one another table using various types of relationships, like one-to-one and one-to-many.

Because we handle a substantial amount of data, we need a way to efficiently define databases, tables, and process data. Moreover, we want to transform data into valuable information. This is where SQL comes into play.

SQL – the language of the relational database

SQL stands for the structured query language.

SQL is the standardized language used to access the database.

SQL is composed of three parts:

1. Data definition language (DDL) includes statements for defining the database and its objects such as tables, views, triggers, stored procedures, etc.
2. Data manipulation language (DML) contains statements for updating and querying data.
3. Data control language (DCL) allows you to grant permissions to users to access specific data in the database.

What is MySQL

MySQL got its name from the daughter of one of its co-founders, Monty Widenius, whose name is My. Combining ‘My’ with ‘SQL,’ we get MySQL.

Week 9: Managing Security Architecture with Broad Considerations

Backups

SSD chip - 128G (SoftWares) + OneDrive Pricing Plan (multiple junk accounts + files + personal vault)

NTFS, or New Technology File System, is ==a proprietary journaling file system developed by Microsoft that serves as the default for Windows operating systems since Windows NT 3.1==. It offers advanced features like file and folder permissions, encryption, compression, journaling for data integrity, and support for large volumes and files. Its robustness and security features make it ideal for modern Windows computers, although it has limited native support on other operating systems like macOS.

exFAT, or Extended File Allocation Table, is a modern file system designed by Microsoft for flash drives and external storage, overcoming the 4GB file size limit of FAT32. It is widely compatible with both Windows and macOS, making it a popular choice for sharing large files between devices, although it lacks some advanced features like built-in encryption and file permissions.

Today’s class

• Who
• When
• What
• Where
• Why
• How
• How much

Public Law (PL) - This is the invisible framework.

nsa - no such agency

NIST fdcc (https://www.nist.gov/publications/federal-desktop-core-configuration-fdcc-improving-information-security-windows)

Week 10: Network Security and its Evolution

Pre-class

• Cross over cable
• network switch
• straight forward cable

patch cores and patch panel

1 Physical Cabling and Connection Basics

Crossover Cable

• Used to connect two similar devices directly (e.g., PC ↔ PC or switch ↔ switch).
• The transmit (TX) and receive (RX) wires are crossed on opposite ends so signals align.
• Historically essential before Auto-MDI/MDIX NICs became common.
• Security note: a direct crossover link bypasses network equipment (firewalls, switches), so it offers no physical-layer control or monitoring—not suitable for secure enterprise setups.

Straight-Through Cable

• Connects different device types (e.g., PC ↔ switch, router ↔ switch).
• Pinouts on both ends are identical; the switch performs TX/RX signal swapping internally.
• Preferred in modern structured cabling because it keeps the physical layout uniform.
• Enables centralized control through network gear, which can enforce access control lists (ACLs), VLAN segmentation, and traffic monitoring.

2 Switching and Data-Link Control

Network Switch

• Operates at the OSI Layer 2 (Data Link Layer).
• Uses a MAC address table (CAM table) to forward frames only to the destination port instead of broadcasting to all ports.
• Benefits:
  • Each port has dedicated bandwidth (no collisions).
  • Supports VLANs to create isolated virtual networks.
  • Allows Port Security and MAC address binding to prevent unauthorized devices.
• Security relevance: the switch is the first real segmentation point in a secure LAN, reducing broadcast storms and limiting lateral movement.

3 Structured Cabling Components

Patch Cords (Patch Leads)

• Short, flexible Ethernet cables used for quick connections between outlets, patch panels, and active equipment (switches/routers).
• Common categories: Cat5e, Cat6, Cat6A.
• Designed for frequent handling and easy replacement without disturbing permanent cabling.

Patch Panel

• A rack-mounted panel that aggregates all permanent cabling from wall outlets or work areas.
• Each port on the patch panel terminates one fixed cable run; technicians use patch cords to “bridge” desired connections to switches or routers.
• Typical physical path:

  Workstation → Wall Outlet → Patch Panel → Patch Cord → Switch → Firewall / Router / Internet
  

• Security implications:
  • Central physical access point → lockable and documented.
  • Enables organized physical-layer management and auditable connectivity, deterring tampering or rogue plug-ins.

4 From Physical Connectivity to Security Architecture

1. Connectivity Evolution

   • Early LANs: simple hubs and crossover cables → shared media, easy eavesdropping.
   • Modern LANs: switched infrastructure + structured cabling → segmented, monitored, secure.
   • Future trend: software-defined networking (SDN) and micro-segmentation for policy-driven control.

2. Security Progression

   • Physical Layer → Prevent unauthorized plug-ins, maintain locked wiring closets.
   • Data-Link Layer → Switch-based isolation (VLANs, port security).
   • Network Layer → Firewalls, routing ACLs, intrusion prevention.
   • Collectively, these build the defense-in-depth model, where physical design underpins higher-level cybersecurity measures.

5 Key Takeaways

• Cabling types determine who can talk to whom at the most basic level.
• Switches provide intelligent traffic control and segmentation, forming the foundation for security zoning.
• Patch panels and patch cords create orderly, traceable, and secure physical infrastructures.
• Understanding these elements clarifies how network security begins at the physical layer and evolves upward to logical and policy-driven protection.

Discussion on last assignment

• proxy system monitor all the HR system
• put different database to seggregated physical/virtualized systems
• UK energy sector

New class - 7 layers

Physical

• F5 company eg. TP Link - no firmware updated and banned by US gov due to sec problem

Link

cable: green ww, red ww, orange ww, blue ww– 4 strands

The cable could be affected by electronic-magnificant effect/water/whatever

Cisco Packet Tracer

PC <-cable-> Switch <-cable-> server

Main wiring closet

ping test is to test physical and link layer connection

Network

gateway - control traffic

firewall - refuse access request

• 俄罗斯套娃

ESP (Encapsulating Security Payload) is a protocol within the IPsec suite that provides confidentiality, data integrity, and authentication for IP packets, making it a core component for securing VPNs. It achieves this by encrypting the packet’s payload and adding headers that ensure it has not been tampered with and comes from a trusted source, while the Authentication Header (AH) protocol focuses only on authentication and integrity

https://datatracker.ietf.org/doc/html/rfc8926

  +---------------------+           +-------+  +------+
  | +--+  +-------+---+ |           |Transit|--|Top of|==Physical
  | |VM|--|       |   | | +------+ /|Router |  | Rack |==Servers
  | +--+  |Virtual|NIC|---|Top of|/ +-------+\/+------+
  | +--+  |Switch |   | | | Rack |\ +-------+/\+------+
  | |VM|--|       |   | | +------+ \|Transit|  |Uplink|   WAN
  | +--+  +-------+---+ |           |Router |--|      |=========>
  +---------------------+           +-------+  +------+
         Hypervisor

              ()===================================()
                      Switch-Switch Geneve Tunnels

Figure 1: Sample Geneve Deployment

Virtual machine has an MAC address - inner address

Software kit

• Hyper-V manager (built in exe)
• windows sandbox
• Cisco Packet Tracer

Week 11: Privacy & Blockchain

Capstone:

<www.nocce.nist.gov>

Week 12: Customer Lec (Tricia McGill)

Anthropologist
Weapon Analyst
CIA
Army
Professor
Google

AI security: AI price is for free? Why? The data!

You ask AI things, you lose your keys to your kingdom.

SOC = Security Operations Center（安全运营中心）

它是企业负责 实时监控、分析和响应网络安全威胁 的核心团队或部门。
换句话说，SOC 就是专门盯着安全日志、告警、攻击流量的地方。

run books - documentation

Tier 1 Analyst - a lot of alert all day (一共有3个tier - 第一个tier是一直要on call)

conti hacker group

Healthcare system - very old - don’t have patches

https://en.wikipedia.org/wiki/Conti_(ransomware)

Threat intelligence

Threat intelligence is actionable information about potential cyber threats that helps organizations understand attackers’ motives, methods, and targets to improve their security defenses.

FDA

RBS pay

IC3 - FBI

越来越多的网络犯罪

open up your books - 被黑不会报案

RED teaming

act as threat actor

Red teaming is a security practice where a dedicated team simulates real-world attacks to test an organization’s defenses, identify vulnerabilities, and evaluate security capabilities.

This process helps organizations understand their weaknesses and improve their security posture by demonstrating the impact of successful attacks and the effectiveness of their defenses against threats. The practice can include social engineering, network exploitation, and physical facility breaches, with a post-engagement retrospective to review finding

Most of the time - protocols: domain (parameters - there’s a )

• real impact
• physical access - break into the building after dark

ICS SCADA SYSTEM

un-penetrable - 结果被黑，改变了整个安全行业

Cybersecurity insurance

insurance也是个非常有前景的topic，什么设备在安全险中？赔率多少，这个都需要人去研究

Sec行业实际上pay well的——跟IT一样只看经验，不看学历

desktop support - sde - sda

Def con

https://defcon.org/

Digital ID

Radio Frequency Identification (RFID) - Passport

Q&A - unlaunched

China Adversary

National data public? sec

commercialized - political

Gini has been worked as a desktop support for 10 yrs