Department of Computer & Information Sciences. CSCI-342: Introduction to Information Security Syllabus

Transcription

1 Department of Computer & Information Sciences CSCI-342: Introduction to Information Security Syllabus Course Description This course provides an introduction to the various basic technical and administrative aspects of Information Security, and addresses the foundation for understanding the key issues associated with protecting information assets, determining the levels of protection and response to security incidents, and designing security mechanisms. The purpose of the course is to provide the student with an overview of the field of Information Security. Students will be exposed to the spectrum of Security activities, methods, methodologies, and procedures. Topics covered include: systems security, secure software life cycle, risk analysis, operating system security, database security, network security, and system threats, programming and testing for software security. Textbook Richard E. Smith, Elementary Information Security, 1 st Edition, Jones & Bartlett Learning, ISBN: , Recommended Supplement M. Goodrich and R. Tamassia, Introduction to Computer Security, 1 st Edition, Addison Wesley, ISBN: , M. Bishop, Computer Security: Art and Science, Addison Wesley, ISBN: , W. Stallings, Computer Security: Principles and Practice, 2 st Edition, Prentice Hall, ISBN: , M. Stamp, Information Security: Principles and Practice, 2 st Edition, Wiley, ISBN: , M. E. Whitman and H. J. Mattord, Principles of Information Security, 4 st Edition, Course Technology, ISBN: , Prerequisite CSCI-350: Operating Systems Major Topics 1. Overview 1.1. The Security Landscape 1.2. Process Example: Bob s Computer 1.3. Identifying Risks 1.4. Prioritizing Risks

2 1.5. Ethical Issues in Security Analysis 1.6. Security Example: Aircraft Hijacking 2. Controlling a Computer 2.1. Computers and Programs 2.2. Programs and Processes 2.3. Buffer Overflow and The Morris Worm 2.4. Access Control Strategies 2.5. Keeping Processes Separate 2.6. Security Policy and Implementation 2.7. Security Plan: Process Protection 3. Controlling Files 3.1. The File System 3.2. Executable Files 3.3. Sharing and Protecting Files 3.4. Security Controls for Files 3.5. File Security Controls 3.6. Patching Security Flaws 3.7. Process Example: The Horse 4. Sharing Files 4.1. Controlled Sharing 4.2. File Permission Flags 4.3. Access Control Lists 4.4. Microsoft Windows ACLs 4.5. A Different Trojan Horse 4.6. Phase Five: Monitoring The System 5. Storing Files 5.1. Phase Six: Recovery 5.2. Digital Evidence 5.3. Storing Data on a Hard Drive 5.4. FAT: An Example File System 5.5. Modern File Systems 5.6. Input/Output and File System Software 6. Authenticating People 6.1. Unlocking a Door 6.2. Evolution of Password Systems 6.3. Password Guessing 6.4. Attacks on Password Bias 6.5. Authentication Tokens 6.6. Biometric Authentication 6.7. Authentication Policy 7. Encrypting Files 7.1. Protecting the Accessible 7.2. Encryption and Cryptanalysis 7.3. Computer-Based Encryption 7.4. File Encryption Software 7.5. Digital Rights Management 8. Secret and Public Keys 8.1. The Key Management Challenge 8.2. The Reused Key Stream Problem 8.3. Public-key Cryptography

3 8.4. RSA: Rivest-Shamir-Adleman 8.5. Data Integrity and Digital Signatures 8.6. Publishing Public Keys 9. Encrypting Volumes 9.1. Securing a Volume 9.2. Block Ciphers 9.3. Block Cipher Modes 9.4. Encrypting a Volume 9.5. Encryption in Hardware 9.6. Managing Encryption Keys 10. Connecting Computers The Network Security Problem Transmitting Information Putting Bits on a Wire Ethernet: A Modern LAN The Protocol Stack Network Applications 11. Networks of Networks Building Information Networks Combining Computer Networks Talking Between Hosts Internet Addresses in Practice Network Inspection Tools 12. End-to-End Networking Smart Versus Dumb Networks Internet Transport Protocols Names on the Internet Internet Gateways and Firewalls Long Distance Networking 13. Enterprise Computing The Challenge of Community Management Processes Enterprise Issues Enterprise Network Authentication Contingency Planning 14. Network Encryption Communications Security Crypto Keys on a Network Crypto Atop the Protocol Stack Network Layer Cryptography Link Encryption on Wireless Encryption Policy Summary 15. Internet Services and Internet Services Internet Security Problems Enterprise Firewalls Enterprise Point of Presence 16. The World Wide Web Hypertext Fundamentals

4 16.2. Basic Web Security Dynamic Web Sites Content Management Systems Ensuring Web Security Properties 17. Governments and Secrecy Secrecy In Government Classifications and Clearances National Policy Issues Communications Security Data Protection Trustworthy Systems Learning Outcomes Grading A student completing this course is expected to be able to: 1. State the basic concepts in information security, including security policies, security models, and security mechanisms. 2. Explain the concepts of malicious code, including virus, Trojan horse, and worms. 3. Explain the basic mechanisms for various cryptographic systems. 4. Explain common vulnerabilities in computer programs, including buffer overflow vulnerabilities, time-of-check to time-of-use flaws, incomplete mediation. 5. Outline the requirements and mechanisms for identification and authentication. 6. Explain issues about password authentication, including dictionary attacks (password guessing attacks), password management policies, and one-time password mechanisms. 7. Explain and compare security mechanisms for conventional operating systems, including memory, time, file, object protection requirements and techniques and protection in contemporary operating systems. 8. Explain the requirements for trusted operating systems, and describe the independent evaluation, including evaluation criteria and evaluation process. 9. Describe threats to networks, and explain techniques for ensuring network security, including encryption, authentication, firewalls, and intrusion detection. Letter Grade A B C D F 0 59 Evaluation Procedures Homework Assignment 20% Quiz 10% Midterm Exam 10% Final Exam 20%

5 Project &Presentation 40% Projects The group projects will involve setting up systems and writing programs that demonstrate important concepts and mechanisms introduced in the classes. The most common reason for not doing well on projects is not starting them early enough. You will be given plenty of time to complete each project. However, if you wait until the last minute to start, you may not be able to finish. Start early and plan to have it finished a few days ahead of the due date. Many unexpected problems typically arise during programming, particularly when debugging. You should plan for these things to happen. The department computer lab will be available for project work. We will also make an environment available for you that can be used to work on projects on your own computer. Your lack of staring early is not an excuse for turning in your project late, including having your computer crash. There are a number of sources for help. This includes office hours, and discussion groups on the class website. Group Rules: each group is to have a maximum 2 people. This means that you can work on your project individually or with another person. If you work in a group of two, you may collaborate on ONLY with your group member and not with a member of another group. Group selection is made by ing the instructor by the 3 rd class meeting. Once you select a group member, you may not change group membership. Each project submitted by a group will include a separate submission by each group member indicating a percentage describing each group member s contribution. Equal contribution means each member (in a 2 person group) contribute 50%. Anything different from equal contribution will result in a reduction in grade from the group member who contributes less and an increase in grade for the group member who contributes more. The oral class presentation will be done in groups of 2. If there are an odd number of students registered for the class, a single student will have the option of either presenting individually or joining a group (making a single group of 3). Homework All work will be submitted electronically. Homework and Projects are due at 11:59 PM on the due date described in the assignments. Late policy is as follows: 10% grade penalty for one day of lateness 50% grade penalty for two days of lateness A grade of zero for >2 days of lateness Note: plagiarism, copying, or cheating of any kind will result in a minimum of an F in the course for all parties involved and a maximum of expulsion from the University should I warrant the need to report it to the Student Judicial Affairs office. Attendance Policy Attendance is mandatory. It is the responsibility of the student to ensure that they sign the signin sheet prior to leaving class. Students that have not signed the sign-in sheet will be considered absent even if they attended class for that day. Students are allowed a maximum of two unexcused absences during the semester. Students that have more than two unexcused absences but less than or equal to four unexcused absences will have their course average reduced by five points. In addition, for each unexcused absence above four, students will receive an additional two points off from their course average.

6 Excused absences require documentation from an authorized party. An absence due to medical reasons will require a note or document from a medical practitioner or institution. Where possible, permission to be absent from class should be obtained in advance. Attempting to obtain permission for being absent after the fact and without proper documentation is not acceptable. Cell Phone Policy Cell phones should be turned off or in silent mode and should be tucked away somewhere not visible to anyone, especially to the instructor. Students will receive a warning on their first infraction of this policy and will be asked to leave the class on each additional infraction and considered absent. In addition, the student will receive an F on any graded work that is due or carried out on that day. Under no circumstance is a student to use the phone in class in any capacity. This includes text messaging! Students that leave the class to talk on their cell phones will not be allowed to return to class. This policy is in effect from the start of class until the instructor dismisses the class. Test Taking Policy During a scheduled exam or quiz, you are required to clear all material from the desk or table prior to beginning your exam or quiz. All books, bags, and other personal material should be placed on the floor. Cell phone policy remains in effect during an exam or quiz. This means that the use of a cell phone without permission from the instructor will result in a zero. Please make sure to use the restroom prior to beginning your exam. If you must use the rest room during the exam, you will need to submit your exam or quiz and it will be graded as is. Cheating and Collaboration Policy Collaboration is a healthy and constructive way to learn and accomplish tasks. Unfortunately, many students often do not realize that what they believe to be collaboration is actually cheating. Cheating on assignments or projects does not benefit anyone, especially you, and undermines our trust. Because the line between collaboration and cheating can get confusing for students, especially those not exposed to proper collaboration behavior, you are asked to carefully consider what is discussed in this section; however, the rule of thumb should always be that when in doubt about whether a particular action can be considered cheating, ask your instructor. In this course, engaging directly with one another on assignments and projects can only enhance the learning process. But how you engage is very important. Discussing assignments and projects at a conceptual level, helping with conceptual bugs in code, or discussing lecture and text material is acceptable. When you turn in assignments, the content must be completely yours! Exceptions occur when your instructor allows you to use material in the public domain; however, you will be required to reference the work. For the purpose of this course, using snippet of code from classmates accomplishes nothing! In the end, it is about what you have learned. Your grade means absolutely nothing to anyone once they figure out you cannot program. In the same token, helping someone by looking at their code, more often than none, leads to copying at some level. Please note that this is not the same as looking at someone else s code to learn to become a better programmer. In general, you are better off asking your instructor prior to looking at another classmate s code. Verbal collaboration is generally acceptable. Examples of acceptable collaboration: Discussing ambiguities in assignments or course materials to gain a better understanding of them; Providing assistance with Java, either in using the system facilities or with debugging tools. Discussing and explaining code provided in the course.

7 Obtaining help on general programming issues (i.e. what does a specific error mean?); As a general rule, if you do not understand or cannot explain what you are handing in, or if you have written the same code as someone else, you are probably cheating. If you have given somebody some code, simply so that it can be used in that person's project, you are probably cheating. Here are some examples of clear cases of cheating: Copying files or parts of files (such as source code, written text, or unit tests) from another person or source. Copying (or retyping) files or parts of files with minor modifications such as style changes or minor logic modifications. Allowing someone else to copy your code or written assignment in any form. Getting help from someone whom you do not acknowledge on your solution. The policies in this section were adapted from those instituted in the Computer Science Department at Carnegie Mellon University.