IT 6823

 

 

 

INFORMATION SECURITY CONCEPTS AND ADMINISTRATION

 

 

 

 

 

Textbook and

References:

Textbook:

·         Charles P. Pfleeger and Shari L. Pfleeger, Security in Computing, Prentice Hall, Upper Saddle River, NJ 07458, 3rd edition, 2003. ISBN: 0-13-035548-8.

 

References:

·         Ed Skoudis, Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses, Prentice Hall, Upper Saddle River, NJ 07458, 2002. ISBN: 0-13-033273-9.

·         Ross Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, John Wiley & Sons, Inc., 2001. ISBN 0-471-38922-6.

 

 

 

Grading Scheme:

90.0 -- 100%          A             =    450 -- 500 Points

80.0 -- 89.9%         B             =    400 -- 449 Points

70.0 -- 79.9%         C             =    350 -- 399 Points

60.0 -- 69.9%         D             =    300 -- 349 Points

00.0 -- 59.9%         F             =     000 -- 299 Points

 

 

 

Tentative Point Distribution:

Tests                  2 * 100   points each                         200  Points            40%

Project               1 * 100   points each                         100  Points            20%

Assignments      6 * 20  points each                            120  Points            24%

Participation       Attendance + Involvement                 80  Points            16%

---------------------------------------------------------------------------------------------------

 

 

 

 

 

 

 

                                                            TOTAL:           500 Points          100%

 

Important Note: I reserve the right to change this grading system as the course progresses and various circumstances develop.

 

Tests:

Two tests will be given. Each test will cover the material from that unit only.  Test questions will consist of multiple choices, fill blanks, programming, and/or essay questions. Questions will cover topics discussed in class that may or may not be covered in the textbook. Students are encouraged to attend class often so as to maximize their exam scores.

 

 

 

Projects:

There is one course project in this course worth 100 points. The project is intended to test the range of knowledge sets and skills developed by students in their prior CS/SWE/IT courses and this course as well. Each student will work as a member of a 2~4-person team to complete one research topic in information security. More details about the nature of the project, suggested topics, grading policy, deliverables, and the instructor's expectations will be provided as a separated handout in class. Each student is expected to contribute equally to the success of the project and to participate in the presentation of the final results.  Grading will be subjective based on the quality and completeness of the project.

 

 

 

Assignments:

 

Assignments are individual work testing the understanding of the course materials. Students should complete their assignments independently and turn in their solutions in time according to the assignment requirements.

 

 

 

Thesis/Research Topics:

 

As information security represents a challenging research arena in Computer Science / Software Engineering / Information Technology, many topics covered in this course are potential research topics for your senior projects or MS thesis projects. Some of the topics will be briefly discussed in class. More details will be provided by the instructor upon request. Please contact the instructor if you are interested in doing a senior project or MS thesis in Information Security, or visit the instructor’s web page at http://lovelace.spsu.edu/jwang/.

 

 

 

Late Work:

All assignments and deliverables, including all project progress reports, source code, presentations, group reports, individual reports, homework assignments, and peer evaluations, are due at the beginning of the class time on the due date. Any late item will be discounted by 10 points per hour delay. Students should be responsible for their homework and project result reaching the instructor in time. (Don't trust the department drop-box.)

    

 

 

Makeup  Tests:

You must contact the instructor prior to the test to explain your reasons for being absent in the test. The instructor will decide whether a makeup test is allowed or not. If your application for a makeup test is accepted, in any case, the makeup test must be done before the next scheduled class unless you could provide official documents from the Student Health Service or the Office of the Senior Vice President for Academic Affairs for attending authorized and official University activities.

 

No makeup project-work (reports or presentations) are allowed.

 

 

 

Class Participation:

Class participation includes class attendance, contributions during class discussion, and sense of teamwork. Class participation will contribute to your overall grade up to 80 points. The instructor expects you to attend lectures regularly and to arrive on time. Attendance checking (roll-call) will be conducted usually at the beginning of each class. Students are responsible to inform the instructor their attendance if they miss the roll call but actually attend the class. The maximal attendance grade is: 3 * 16 = 48 points.

 

You are responsible for all course work. Being absent does not excuse work from the stated due dates. In addition to attendance, there will be a contribution grade to encourage class discussion and sense of teamwork. You can earn up to 32 points in the whole semester by

  • actively asking/answering questions
  • being a good team player
  • providing accurate peer evaluations

 

 

 

Academic  Dishonesty:

SPSU values academic integrity. Therefore all students must understand the meaning and consequences of cheating, plagiarism and other academic offenses. Work submitted for this course must represent your own efforts. Copying assignments or tests, or allowing others to copy your work, will not be tolerated. Note that introducing syntactic changes into a copied program is still considered plagiarism. The grade for all involved parties for any course work (homework, assignment, project, programming, or test) will be zero if plagiarism is evidenced.

 

Academic dishonesty is an extremely serious offense. All cases of academic dishonesty will be dealt with in accordance with the policies of the University as published in the Undergraduate Catalog and Graduate Student Handbook. Penalties may include expulsion from the University.

 

 

 

Disability:

Students with disabilities who believe that they may need accommodations in this class are encouraged to contact the counselor working with disabilities at 678-915-7226 as soon as possible to better ensure that such accommodations are implemented in a timely fashion.

 

 

 

Return and Destruction of Papers:

Homework, floppy disks, and other completed class assignments will be brought to class once to be returned after they are graded. If you are absent on a day that a paper is returned you will need to arrange to pick up the paper in the instructor's office. All tests and papers may be destroyed after the end of the first week of the following semester. Test papers will not be returned and you will not be allowed to keep or to photocopy exams. You may examine your tests in the instructor's office during scheduled exam review periods.

 

 

 

Course Homepage:

The URL for the course homepage is:

 

 http://webct.usg.edu/

 

You will need a WebCT account to access the course web site.

 

 

 

 

Course Description

 

Prerequisites:   

 

CS 5123: Advanced Programming and Data Structures; and CS 5423: Mathematical Structures for Computer Science

 

 

Catalog Description:  

 

This course covers the fundamentals of computing security, access control technology, cryptographic algorithms, implementations, tools and their applications in communications and computing systems security. Topics include public key infrastructure, operating system security, database security, network security, web security, firewalls, security architecture and models, and ethical and legal issues in information security.

 

Additional Description: 

 

This course covers a variety of topics that will prepare those students who wish to develop a skill set in information security or who wish to enhance their current information technology expertise by gaining additional knowledge in the field of computing security.

 

The topics will range from operating systems security, database security, program security, network security, wireless security, legal and ethical issues, access controls, cryptography and risk management. Students will also be instructed in how to design and create disaster recovery plans, computer policies and standards, system security architectures and physical security controls. Legal aspects of computer security will also be covered as will auditing in a secured environment and managing as a day-to-day security administrator. In-class project and assignments will focus upon critical thinking for security managers in mainframe, midrange and network environments as well as research assignments and basic policy creation. Reading and assignments will also provide additional insight to selected topics during the semester.

 

 

Course Objectives:   

 

The course covers a wide range of skills for information security. On completion of this course, students should be able to

  1. Create a sensitivity to the threats and vulnerabilities of personal, organizational, and national security information systems;
  2. Establish a recognition of the need to protect data, information and the means of processing them;
  3. Build a working knowledge of principles and practices in information security.
  4. Design, execute, or evaluate personal or organizational security procedures and practices.
  5. Understand the importance of information security and how it affects our changing world.
  6. Identify the key areas of information security and how they work.
  7. Learn how to critically analyze situations of computer use, identifying the issues, consequences and viewpoints.
  8. Apply information security concepts and techniques while performing their tasks.

As a part of your general education, this course will also help you to

  1. Communicate (written and verbally) about a complex, technical topic simply and coherently.
  2. Work and interact collaboratively in groups to examine, understand and explain key aspects of information security.

 

 

Course Outline:

 

1. Is There a Security Problem in Computing?

1.1 What Does “Secure” Mean?

1.1.1 Protecting Valuables

1.1.2 Characteristics of Computer Intrusion

1.2 Attacks

1.2.1 Threats, Vulnerabilities, and Controls

1.2.2 Method, Opportunity, and Motive

1.3 The Meaning of Computer Security

1.3.1 Security Goals

1.3.2 Vulnerabilities

1.4 Computer Criminals

1.4.1 Amateurs

1.4.2 Crackers

1.4.3 Career Criminals

1.5 Methods of Defense

1.5.1 Controls

1.5.2 Effectiveness of Controls

1.6 What's Next

1.6.1 Encryption Overview

1.6.2 Hardware and Software Security

1.6.3 Human Controls in Security

1.6.4 Where the Field Is Headed


2. Elementary Cryptography.

2.1 Terminology and Background

2.2 Substitution Ciphers

2.2.1 The Caesar Cipher

2.2.2 Other Substitutions

2.2.3 One-Time Pads

2.3 Transposition (Permutations)

2.3.1 Columnar Transpositions

2.3.2 Combinations of Approaches

2.4 Making “Good” Encryption Algorithms

2.4.1 What makes a “Secure” Encryption Algorithm?

2.4.2 Symmetric and Asymmetric Encryption Systems

2.4.3 Stream and Block Ciphers

2.4.4 Confusion and Diffusion

2.4.5 Cryptanalysis – Breaking Encryption Schemes

2.5 The Data Encryption Standard (DES)

2.5.1 Background and History

2.5.2 Overview of the DES Algorithm

2.5.3 Double and Triple DES

2.5.4 Security of the DES

2.6 The AES Encryption Algorithm

2.6.1 The AES Contest

2.6.2 Overview of Rijndael

2.6.3 Strength of the Algorithm

2.6.4 Comparison of DES and AES

2.7 Public Key Encryption

2.7.1 Motivation

2.7.2 Characteristics

2.7.3 Rivest-Shamir-Adelman (RSA) Encryption

2.8 The Uses of Encryption

2.8.1 Cryptographic Hash Functions

2.8.2 Key Exchange

2.8.3 Digital Signatures

2.8.4 Certificates

 

3. Program Security

3.1 Secure Programs

3.1.1 Fixing Faults

3.1.2 Unexpected Behavior

3.1.3 Types of Flaws

3.2 Nonmalicious Program Errors

3.2.1 Buffer Overflows

3.2.2 Incomplete Mediation

3.2.3 Time-of-Check to Time-of-Use Errors

3.2.4 Combinations of Nonmalicious Program Flaws

3.3 Viruses and Other Malicious Code

3.3.1 Why Worry About Malicious Code?

3.3.2 Kinds of Malicious Code

3.3.3 How Viruses Attach

3.3.4 Document Viruses

3.3.5 How Viruses Gain Control

3.3.6 Homes for Viruses

3.3.7 Virus Signatures

3.3.8 The Source of Viruses

3.3.9 Prevention of Virus Infection

3.3.10 Truths and Misconceptions about Viruses

3.3.11 First Example of Malicious Code: The Brain Virus

3.3.12 Another Example: The Internet Worm

3.3.13 More Malicious Code: Code Red

3.3.14 Malicious Code on the Web: Web Bugs

3.4 Targeted Malicious Code

3.4.1 Trapdoors

3.4.2 Salami Attacks

3.4.3 Covert Channels: Programs that Leak Information

3.5 Controls Against Program Threats

3.5.1 Developmental Controls

3.5.2 Operating System Controls on Use of Programs

3.5.3 Administrative Controls

3.5.4 Program Controls in General

 

4. Protection in General-Purpose Operating Systems

4.1 Protected Objects and Methods of Protection

4.1.1 A Bit of History

4.1.2 Protected Objects

4.1.3 Security Methods of Operating Systems

4.2 Memory and Address Protection

4.2.1 Fence

4.2.2 Relocation

4.2.3 Base/Bounds Registers

4.2.4 Tagged Architecture

4.2.5 Segmentation

4.2.6 Paging

4.2.7 Combined Paging with Segmentation

4.3 Control of Access to General Objects

4.3.1 Directory

4.3.2 Access Control List

4.3.3 Access Control Matrix

4.3.4 Capability

4.3.5 Procedure-Oriented Access Control

4.4 File Protection Mechanisms

4.4.1 Basic Forms of Protection

4.4.2 Single Permissions

4.4.3 Per-Object and Per-User Protection

4.5 User Authentication

4.5.1 Use of Passwords

4.5.2 Attacks on Passwords

4.5.3 Password Selection Criteria

4.5.4 The Authentication Process

4.5.5 Authentication Other Than Passwords


5.Designing Trusted Operating Systems

5.1 What Is a Trusted System?

5.2 Security Policies

5.2.1 Military Security Policy

5.2.2 Commercial Security Policies

5.3 Models of Security

5.3.1 Multilevel Security

5.3.2 Models Proving Theoretical Limitations of Security Systems

5.3.3 Summary of Models of Protection Systems

5.4 Trusted Operating System Design

5.4.1 Trusted System Design Elements

5.4.2 Security Features of Ordinary Operating Systems

5.4.3 Security Features of Trusted Operating Systems

5.4.4 Kernelized Design

5.4.5 Separation/Isolation

5.4.6 Virtualization

5.4.7 Layered Design

5.5 Assurance in Trusted Operating Systems

5.5.1 Typical Operating System Flaws

5.5.2 Assurance Methods

5.5.3 Open Source

5.5.4 Evaluation

5.6 Implementation Examples

5.6.1 General-Purpose Operating Systems

5.6.2 Operating Systems Designed for Security

 

6. Database Security

6.1 Introduction to Databases

6.1.1 Concepts of a Database

6.1.2 Components of Databases

6.1.3 Advantages of Using Databases

6.2 Security Requirements

6.2.1 Integrity f the Database

6.2.2 Element Integrity

6.2.3 Auditability

6.2.4 Access Control

6.2.5 User Authentication

6.2.6 Availability

6.2.7 Integrity / Confidentiality / Availability

6.3 Reliability and Integrity

6.3.1 Protection Features from the Operating System

6.3.2 Two-Phase Update

6.3.3 Redundancy / Internal Consistency

6.3.4 Recovery

6.3.5 Concurrency / Consistency

6.3.6 Monitors

6.3.7 Summary of Data Reliability

6.4 Sensitive Data

6.4.1 Access Decisions

6.4.2 Types of Disclosures

6.4.3 Security versus Precision

6.5 Inference

6.5.1 Direct Attack

6.5.2 Indirect Attack

6.5.3 Aggregation

6.6 Multilevel Databases

6.6.1 The case for Differentiated Security

6.6.2 Granularity

6.6.3 Security Issues

6.7 Proposals for Multilevel Security

6.7.1 Separation

6.7.2 Designs of Multilevel Secure Databases

6.7.3 Concluding Remarks


7. Security in Networks

7.1 Network Concepts

7.1.1 The Network

7.1.2 Media

7.1.3 Protocols

7.1.4 Types of Networks

7.1.5 Topologies

7.1.6 Distributed Systems

7.1.7 APIs

7.1.8 Advantages of Computing Networks

7.2 Threats in Networks

7.2.1 What Makes a Network Vulnerable?

7.2.2 Who Attacks Networks?

7.2.3 Threat Precursors

7.2.4 Threats in Transit: Eavesdropping and Wiretapping

7.2.5 Protocol Flaws

7.2.6 Impersonation

7.2.7 Spoofing

7.2.8 Message Confidentiality Threats

7.2.9 Message Integrity Threats

7.2.10 Web Site Defacement

7.2.11 Denial of Service

7.2.12 Distributed Denial of Service

7.2.13 Threats to Active or Mobile Code

7.2.14 Complex Attacks

7.2.15 Summary of Network Vulnerabilities

7.3 Network Security Controls

7.3.1 Security Threat Analysis

7.3.2 Design and Implementation

7.3.3 Architecture

7.3.4 Encryption

7.3.5 Content Integrity

7.3.6 Strong Authentication

7.3.7 Access Controls

7.3.8 Alarms and Alerts

7.3.9 Honeypots

7.3.10 Traffic Flow Security

7.3.11 Controls Review

7.4 Firewalls

7.4.1 What is a Firewall?

7.4.2 Design of Firewalls

7.4.3 Types of Firewalls

7.4.4 Personal Firewalls

7.4.5 Comparison of Firewall Types

7.4.6 Example firewall Configurations

7.4.7 What Firewalls Can – and Cannot – Block

7.5 Intrusion Detection Systems

7.5.1 Types of IDSs

7.5.2 Goals for Intrusion Detection Systems

7.5.3  IDS Strengths and Limitations

7.6 Secure E-Mail

7.6.1 Security for E-Mail

7.6.2 Designs

7.6.3 Example Secure E-Mail Systems

 

8. Administering Security

8.1 Security Planning

8.1.1 Contents of a Security Plan

8.1.2 Assign Responsibilities and define criticality and sensitivity

8.1.3 Assuring Commitment to a Security Plan

8.1.4 Business Continuity Plans

8.1.5 Incident Response Plans

8.1.6 Allocate Resources

8.2 Risk Analysis

8.2.1 The Nature of Risk

8.2.2 Steps of a Risk Analysis

8.2.3 Arguments for an Against Risk Analysis

8.2.4 Systems Security Authorization Agreement (SSAA)

8.3 Organizational Security Policies

8.3.1 Purpose

8.3.2 Audience

8.3.3 Contents

8.3.4 Characteristics of a Good Security Policy

8.3.5 Incidence Handling and Response

8.3.6 Policy Issue Example: Government E-Mail

8.3.7 Certification and Recertification

8.3.8 Systems Security Authorization Agreement (SSAA)

8.3.9 Waive Policy to Continue Operation

8.4 Physical Security

8.4.1 Natural Disasters

8.4.2 Power Loss

8.4.3 Human Vandals

8.4.4 Interception of Sensitive Information

8.4.5 Contingency Planning

8.4.6 Physical Security Recap

8.5 Security in Acquisitions

                8.5.1 Acquisition and Certification

                8.5.2 Life Cycle Management


9. Legal, Privacy, and Ethical Issues in Computer Security

9.1 Protecting Programs and Data

9.1.1 Copyrights

9.1.2 Patents

9.1.3 Trade Secrets

9.1.4 Protection for Computer Objects

9.2 Information and the Law

9.2.1 Information as an Object

9.2.2 Legal Issues Relating to Information

9.2.3 Protecting Information

9.2.4 Summary of Protection for Computer Artifacts

9.3 Rights of Employees and Employers

9.3.1 Ownership of Products

9.4 Software Failures

9.4.1 Selling Correct Software

9.4.2 Reporting Software Flaws

9.5 Computer Crime

9.5.1 Why a Separate Category for Computer Crime is Needed

9.5.2 Why Computer Crime is Hard to Define

9.5.3 Why Computer Crime is Hard to Prosecute

9.5.4 Examples of Statutes

9.5.5 International Dimensions

9.5.6 Why Computer Criminals are Hard to Catch

9.5.7 What Computer Crime does not Address

9.5.8 Cryptography and the Law

9.6 Privacy

9.6.1 Threats to Privacy

9.6.2 Controls Protecting Privacy

9.7 Ethical Issues in Computer Security

9.7.1 Differences between the Law and Ethics

9.7.2 Studying Ethics

9.7.3 Ethical Reasoning

9.8 Case Studies of Ethics

9.8.1 Case I: Use of Computer Services

9.8.2 Case II: Privacy Rights

9.8.3 Case III: Denial of Service

9.8.4 Case IV: Ownership of Programs

9.8.5 Case V: Proprietary Resources

9.8.6 Case VI: Fraud

9.8.7 Case VII: Accuracy of Information

9.8.8 Case VIII: Ethics of Hacking or Cracking

9.8.9 Codes of Ethics

 

 

Questionnaire #1:  Student Background

 

Tuesday  May 17, 2005

 

In order to improve teaching effectiveness, you will be asked to fill a few questionnaires during this semester. This questionnaire is the first one of them. The information you provide in these questionnaires is used solely for the purpose of improving teaching effectiveness. For instance, this first questionnaire is designed for possible improving course schedule and content according to student background.

Please complete the following questionnaire during the class and hand it to the instructor before you leave the classroom today.

-------------------------------------------------------------------------------------------------------

1.       Statistical  information:

Name

 

 

Major

 

 

 

2.       Have you taken Advanced Programming and Data Structures or equivalent? 

A. Yes           B. No

 

3.       Have you taken Mathematical Structures for Computer Science or equivalent?

A. Yes           B. No

 

4.       Do you have JAVA programming experience?  A. Yes           B. No

If yes, describe briefly your experience of programming in JAVA, e.g., what kind of Java projects have

you developed?

 

5.       Do you have C/C++ programming experience?  A. Yes           B. No

If yes, describe briefly your experience of programming in C/C++, e.g., what kind of products have

you developed?

 

 

6.       Check the following for your OS experience:

Microsoft Windows NT/2000/XP/9X:

        Familiar

        Some experience but not familiar

        Never used it

UNIX/LINUX:

        Familiar

        Some experience but not familiar

        Never used it

Mackintosh OS:

        Familiar

        Some experience but not familiar

        Never used it

 

7.       Check the following for your network experience (check all items applicable):

        I was / I am a network system administrator.

        I have set up a local area network in my work, home, or study.

        I’m familiar with network protocols like TCP/IP/UDP/IMCP, etc.

        I know the difference between a hub and a switch.

        I don’t have network knowledge.

 

8.       What is your course objective/expectation?

  1. It is required elective for my major(s) and I must get at least “C” for my grade.
  2. It is required elective for my major(s) and I must get at least “B” for my grade.
  3. It is a required selective course for my major(s) and I must get a grade of _________.
  4. It is elective but I’d like to have a grade of _____________.
  5. To earn another 3 credit hours solely.
  6. I enrolled this course mainly due to my interests in the topics covered by this course.
  7. Others (please explain briefly.)

 

9.       How much time could you (or are you going to) spend for this course after one lecture ?

 

 

 

 

My Permanent Contact Information:

 

 

 

Name: ________________________________________________________________

 

 

 

Mail Address: ___________________________________________________________

 

 

 

Phone Numbers:_________________________________________________________

 

 

 

Email Address: __________________________________________________________