Course Design Document IS302: Information Security and Trust
Course Design Document IS302: Information Security and Trust
Course Design Document IS302: Information Security and Trust
Table of Content 1 Versions History ......................................................................................................................................3 2 Overview of Security and Trust Course ................................................................................................4 3 Output and Assessment Summary .........................................................................................................5 Midterm quiz (15%; problem solving) ........................................................................................................5 Class participation (10%) ............................................................................................................................6 Project (25%) ...............................................................................................................................................6 Final Exam (40%; close book) in week 15 ..................................................................................................7 Grades release schedule ...............................................................................................................................7 4 Group Allocation for Assignments .........................................................................................................7 5 Classroom Planning .................................................................................................................................7 5.1 Course Schedule Summary .....................................................................................................................7 5.2 Lab Exercises .........................................................................................................................................9 5.3 Weekly plan ...........................................................................................................................................9 6 List of Information Resources and References ...................................................................................13 7 Tooling ....................................................................................................................................................13 8 Learning Outcomes, Achievement Methods and Assessment ...........................................................13
Page 2
1 Versions History
Version
V 1.0 V 2.0
Description of Changes
Revised the design documents for weeks 7 11 based on discussions with Ravi Sandu and Ankit Fadia Re-designed the project Re-designed the lab session Revised the prerequisites of the course, learning outcomes, and tooling Revised course content and schedule Strengthened handson exercise Revised course content and schedule Revised design document in new format Revised project design Revised learning outcomes Revised design document in new format Revised project topics Revised project topics Revised project design and topics
Author
Yingjiu Li Yingjiu Li
Date
31-12-2004 03-12-2005
V 2.1 V 2.2
Yingjiu Li Yingjiu Li
26-12-2005 07-08-2006
V 3.0
Yingjiu Li
28-12-2006
V 4.0 V 4.1
Yingjiu Li Yingjiu Li
03-12-2007 15-02-2008
Page 3
Security and Trust course provides both fundamental principles and technical skills for analyzing, evaluating, and developing secure systems in practice. Students will learn essentials about security models, algorithms, protocols, and mechanisms in computer networks, programs, and database systems. Classroom instruction will be integrated with hands-on exercises on security tools in Windows and Java language. 2.2 Prerequisites
Students should understand the basics of computer network, programming languages (Java, in particular), and information systems. 2.3 Objectives
Upon finishing the course, students are expected to: Understand basic security concepts, models, algorithms and protocols. Understand security requirements and constraints in some real world applications. Be able to analyze the current security mechanisms. Be aware of the current and future trends in security applications.
2.4
Basic Modules
Backgroundand andBasic BasicConcepts Concepts(1 (1week) week) Background
Page 4
2.5
Instructional Staff Professors: Robert Deng, Yingjiu Li, Xuhua Ding Instructional staff: to be updated Teaching assistant: to be updated
Assignment 1 (due) Midterm Review midterm Lab, Assignment 2 due Project presentation and demo I Project Presentation and demo II Project report Final exam
5 15
Evaluated by the lecturers based on students participation in classroom discussions and grading on hands-on and lab exercises
Project (25%)
Teaming: each team consists of 4 to 5 members. The students form the teams by themselves. References: internet, textbook
Each team chooses a topic from the following list and conducts an open-ended investigation on the topic: 1. Web browser security 2. SSL security issues and solutions 3. Privacy leakage and control in online social networks 4. Authentication and anonymity in location based services 5. Android permission models and enforcement 6. iOS malware and detection 7. Android malware and detection 8. Trusted Platform Module (TPM) and its application 9. Password strength measurements 10. Anonymous communication 11. Keyloggers, 12. Security in cloud computing 13. Security in electronic payment Grading: 25% 1. Presentation15% Presentation organization 5% Technical description 5% Q&A 5% 2. Project report 10% Breadth 5% Depth 5% Deliverables: Each team will write a project report on their findings, and deliver an oral presentation in class. The report is expected to be around 15 pages, using 11pt font, single column and single space format. The oral presentation should be delivered within 20~25 minutes plus 5~10 minutes Q&A. Requirements: In both presentation and report, each team should: a) Describe the background of the related topic b) Identify major issues (problems, concerns, questions) in the field c) Address the identified issues with technical details d) Provide your own comments and analyses e) Give illustrative examples and case studies where appropriate f) List all references
Page 6
The project outline around 5 pages is due in week 9 before class and is not graded. The presentations are scheduled in weeks 12 and 13. The final report is due on week 15 Friday.
5 Classroom Planning
Teaching session: 3 hours Review: 15 minutes Solution techniques: 1 hour 30 minutes Security problems and techniques Analysis Hands-on exercises: 1 hour Settings and steps Discussions Summary: 15 minutes 5.1 Wk Course Schedule Summary Topic (problem) Background Readings (textbook) Chapter 1, Classroom: techniques (1.5 hours) Networking Classroom: hands-on (1.5 hours) Form project After-class reading and exercise Group
Page 7
Note Learning
Hands-on
Learning effect
7.1
2 3
teams
OpenSSL and JCE OpenSSL and JCE Assignment 1 OpenSSL and JCE Assignment 1 review, Open SSL and JCE Open SSL, email security, windows cert mgt User authentication I Review of midterm Assignment 2 Assignment 1
4 5
RSA Integrity
Cert, PKI
2.8, 7.6
4.5
Midterm
8 9
4.5, 7.3
10
AC
User authenticatio n II and internet security 4.1-4.4, 5.1- DAC, MAC, 5.3 RBAC
11
Internet Sec
12 13 14 15
Page 8
7 8
Week: 2 Session 1: Ancient ciphers: Caesar, Vigenere, Zimmermann, columnar transposition Security analysis of ancient ciphers Session 2: Installation of JCE cryptool and Openssl Test for the tools Reference: Chapter 2.1-2.4 Things to ensure: Course: Security and Trust Page 9
Students understand two basic encryption techniques: substitution and transposition JCE, cryptool and openssl are correctly installed for hands-on exercise in the following weeks
Week: 3 Session 1: DES: history and details AES: history and details Session 2: Use both Openssl and JCE for DES and AES encryption and decryption Reference: Chapter 2.5-2.6, 10.2 Things to ensure: Students know the security status of DES and AES Students know how to use DES and AES in Openssl and JCE
Week: 4 Session 1: Asymmetric encryption with RSA Session 2: Use Openssl and JCE for generating RSA keys and for performing RSA encryption Reference: Chapter 2.7-2.8, 10.3 Things to ensure: Students understand the security of RSA encryption Students know how to generate RSA keys and use RSA keys in Openssl and JCE Assignment 1 due and review
Week: 5 Session 1: Hash functions (MD5 and SHA1) MAC (HMAC and DES-MAC) RSA signature Compare MAC with RSA signature for message integrity check Session 2: Use JCE for message integrity check with HMAC and RSA signature Reference: Chapter 2.8, 10.3 Things to ensure: Students understand the security status of hash functions Students understand the differences between MAC and RSA signature Students know how to use JCE for integrity check with MAC and RSA signature
Week: 6 Session 1: Impersonation problem and the need of using certificates X. 509 certificate format CRL Course: Security and Trust Page 10
Session 2: Email security (S/MIME and PGP) Signed and/or encrypted email with COMODO certificates in Outlook Reference: Chapter 2.8, 7.6 Things to ensure: Understand why and how to use certificates and CRLs Know how to use Outlook to send signed and/or encrypted emails
Week: 7 Session 1: quiz Session 2: weak authentication with passwords Unix passwords Windows LM hash and NTLM hash Password attacks Reference: Chapter 4.5 Things to ensure: Understand how passwords are stored in computers
Week: 9 Session 1: Strong authentication (Lamport, challenge response, time synchronization) NTLMv1 and NTLMv2 Session 2: Internet security (SSL, firewall, IDS) Reference: Chapter 4.5, 7.3 Things to ensure: Understand why strong authentication is securer than weak authentication Understand how passwords are verified in Windows Understand the fundamentals of SSL, firewall and IDS Understand how to protect information systems in banks (case study) Project draft is due Week: 10 Session 1: Course: Security and Trust Page 11
Access control models: DAC, MAC, RBAC Session 2: Java SecurityManager Reference: Chapter 4.1-4.4, 5.1-5.3 Things to ensure: Know how to use java SecurityManager to enforce access control Assignment 2 covers weeks 9 and 10
Week: 11 Session 1: Lab exercise for password cracking Session 2: Lab exercise for using firewall and IDS Reference: Lab instructions Things to ensure: Know how to use SAS-SMU Enterprise Intelligence Lab for password cracking, firewall configuration, and intrusion detection Assignment 2 due and review
Week: 12 (project presentation: teams 1-5) Session 1: Session 2: Reference: Things to ensure: Invited talk from industry on information security best practice
Week: 13 (project presentation and demo: teams 6-10) Session 1: Session 2: Reference: Things to ensure: Learning information security trends from each other
Week: 14 (review week: no class) Session 1: Session 2: Reference: Course: Security and Trust Page 12
Week: 15 (exam week: no class) Session 1: Session 2: Reference: Things to ensure: Final exam
7 Tooling
Tool Open SSL, JCE, CrypTool PPA, IPtable, snort Description Security tools in Windows and Java Password cracking, firewall, and IDS Remarks Hands-on exercises and demo Lab exercises
8 Learning Outcomes, Achievement Methods and Assessment Course-specific core competencies which address the Outcomes Faculty Methods to Assess Outcomes
Page 13
Identify the security properties of enterprise information systems Analyze the security tradeoffs to be made in design of enterprise information systems List basic design principles of protecting enterprise information systems Identify major security technologies/components that are most effective for protecting enterprise information systems Explain the future trend of security technologies that will generate significant impact to practice
Execute and grade lab exercises Grade and give feedback to individual assignments Grade and give feedback to group project
YY
Ability to understand & analyze the linkages between: a) Business strategy and business value creation b) Business strategy and information strategy c) Information strategy and technology strategy d) Business strategy and business processes e) Business processes or information strategy or technology strategy and IT solutions 1.2 Cost and benefits analysis skills Ability to understand and analyze: a) Costs and benefits analysis of the project 1.3 Business software solution impact analysis skills Ability to understand and analyze: a) How business software applications impact the enterprise within a particular industry sector.
YY
specification skills
with tools Crytool, openssl and JCE Identify the security requirements for enterprise information systems Design effective and efficient solutions to protect enterprise information systems
and 2 Execute and grade lab exercises Real case studies and invited talks from industry with questions included and graded in the final exam Grade and give feedback to project
Ability to: a) Elicit and understand functional requirements from customer b) Identify non functional requirements (performance, availability, reliability, security, usability etc) c) Analyze and document business processes 2.2 Software and IT architecture analysis and design skills Ability to: a) Analyze functional and nonfunctional requirements to produce a system architecture that meets those requirements. b) Understand and apply process and methodology in building the application c) Create design models using known design principles (e.g. layering) and from various view points (logical, physical etc) d) Explain and justify all the design choices and tradeoffs done during the application's development 2.3 Implementation skills Ability to:
Course: Security and Trust
Y Analyze the vulnerability of network in a web application scenario and apply intrusion detection and firewall techniques to eliminate the vulnerability Execute and grade lab exercises
Y Use cryptool, openssl and JCE to design and implement security techniques for network security and access control Execute and grade lab exercises and project
Page 15
a) Realize coding from design and vice versa b) Learn / practice one programming language c) Integrate different applications (developed application, cots software, legacy application etc) d) Use tools for testing, integration and deployment
Y Y
Y Understand and know how to use major security building blocks including hash, encryption and decryption, signature, certificates, password authentication, firewall, intrusion detection, and access control Execute and grade lab exercises
Ability to: a) Understand, select and use appropriate technology building blocks when developing an enterprise
solution (security, middleware, network, IDE, ERP, CRM, SCM etc)
Project management skills 3.1 Scope management skills Ability to: a) Identify and manage trade-offs on scope/cost/quality/time b) Document and manage changing requirements 3.2 Risks management skills Ability to: a) Identify, prioritize, mitigate and document projects risks b) Constantly monitor projects risks as part of project monitoring 3.3 Project integration and time management skills Ability to: a) Establish WBS, time & effort estimates, resource allocation, scheduling etc b) Practice in planning using methods and tools (Microsoft project, Gantt chart etc)
Course: Security and Trust Page 16
c) Develop / execute a project plan and maintain it 3.4 Configuration management skills Ability to: a) Understand concepts of configuration mgt and change control 3.5 Quality management skills Ability to: a) Understand the concepts of Quality Assurance and Quality control (Test plan, test cases ) 4 Learning to learn skills 4.1 Search skills Ability to: a) Search for information efficiently and effectively 4.2 Skills for developing a methodology for learning Ability to: a) Develop learning heuristics in order to acquire new knowledge skills (focus on HOW to learn versus WHAT to learn ). b) Abide by appropriate legal, professional and ethical practices for using and citing the intellectual property of others Collaboration (or team) skills: 5.1 Skills to improve the effectiveness of group processes and work products Ability to develop: a) Leadership skills b) Communication skills c) Consensus and conflict resolution skills Change management skills for enterprise systems
Course: Security and Trust Page 17
Effectively communicate and resolve conflicts while working in a randomly chosen team
6.1 Skills to diagnose business changes Ability to: a) Understand the organizational problem or need for change (e.g. Analyze existing business processes or as-is process) 6.2 Skills to implement and sustain business changes Ability to: a) implement the change (e.g. advertise / communicate the need for change etc..) and to sustain the change over time 7 Skills for working across countries, cultures and borders 7.1 Cross-national awareness skills Ability to: a) Develop cross-national understandings of culture, institutions (e.g. law), language etc 7.2 Business across countries facilitation skills Ability to: a) Communicate across countries b) Adapt negotiation and conflict resolution techniques to a multicultural environment Communication skills 8.1 Presentation skills Ability to: a) Provide an effective and efficient presentation on a specified topic. 8.2 Writing skills Ability to:
Y Write survey report on a new information security topic. Grade and give feedback to project and individual assignments Y Prepare and deliver an effective and efficient presentation on a new information security topic. Grade and give feedback to project
Page 18
a) Provide documentation understandable by users (Requirements specifications, risks management plan, assumptions, constraints, architecture choices, design choices etc) Y YY
This sub-skill is covered partially by the course This sub-skill is a main focus for this course
Page 19