Technical Specification of



[pic]

Course Design Document

IS302: Information Security and Trust

Version 4.7

17 December 2012

Table of Content

1 Versions History 3

2 Overview of Security and Trust Course 4

2.1 Synopsis 4

2.2 Prerequisites 4

2.3 Objectives 4

2.4 Basic Modules 4

2.5 Instructional Staff 5

3 Output and Assessment Summary 5

Midterm quiz (15%; problem solving) 5

Class participation (10%) 6

Project (25%) consists of part A (15%) and part B (10%) 6

Final Exam (40%; close book) in week 15 7

Grades release schedule 7

4 Group Allocation for Assignments 8

5 Classroom Planning 8

5.1 Course Schedule Summary 8

5.2 Lab Exercises 9

5.3 Weekly plan 9

6 List of Information Resources and References 14

Textbook: Security in Computing (4th edition) by Charles P. Pfleeger and Shari L. Pfleeger, Prentice Hall, 2007 14

7 Tooling 14

Tool 14

Description 14

Remarks 14

8 Learning Outcomes, Achievement Methods and Assessment 14

Versions History

|Version |Description of Changes |Author |Date |

|V 1.0 | |Yingjiu Li |31-12-2004 |

|V 2.0 |Revised the design documents for|Yingjiu Li |03-12-2005 |

| |weeks 7 – 11 based on | | |

| |discussions with Ravi Sandu and | | |

| |Ankit Fadia | | |

| |Re-designed the project | | |

|V 2.1 |Re-designed the lab session |Yingjiu Li |26-12-2005 |

|V 2.2 |Revised the pre-requisites of |Yingjiu Li |07-08-2006 |

| |the course, learning outcomes, | | |

| |and tooling | | |

|V 3.0 |Revised course content and |Yingjiu Li |28-12-2006 |

| |schedule | | |

| |Strengthened hands-on exercise | | |

|V 4.0 |Revised course content and |Yingjiu Li |03-12-2007 |

| |schedule | | |

|V 4.1 |Revised design document in new |Yingjiu Li |15-02-2008 |

| |format | | |

|V 4.2 |Revised project design |Yingjiu Li |24-12-2008 |

|V 4.3 |Revised learning outcomes |Yingjiu Li |02-11-2009 |

|V 4.4 |Revised design document in new |Yingjiu Li |10-06-2010 |

| |format | | |

|V4.5 |Revised project topics |Yingjiu Li |02-01-2012 |

|V4.6 |Revised project topics |Yingjiu Li |31-10-2012 |

|V4.7 |Revised project design and |Yingjiu Li |17-12-2012 |

| |topics | | |

Overview of Security and Trust Course

1. Synopsis

Security and Trust course provides both fundamental principles and technical skills for analyzing, evaluating, and developing secure systems in practice. Students will learn essentials about security models, algorithms, protocols, and mechanisms in computer networks, programs, and database systems. Classroom instruction will be integrated with hands-on exercises on security tools in Windows and Java language.

2. Prerequisites

Students should understand the basics of computer network, programming languages (Java, in particular), and information systems.

3. Objectives

Upon finishing the course, students are expected to:

1. • Understand basic security concepts, models, algorithms and protocols.

2. • Understand security requirements and constraints in some real world applications.

3. • Be able to analyze the current security mechanisms.

4. • Be aware of the current and future trends in security applications.

4. Basic Modules

5. Instructional Staff

• Professors: Robert Deng, Yingjiu Li, Xuhua Ding, Debin Gao

• Instructional staff: to be updated

• Teaching assistant: to be updated

Output and Assessment Summary

|Week |Date |

|Review: 15 minutes | |

|Solution techniques: 1 hour 30 minutes |Learning |

|Security problems and techniques | |

|Analysis | |

|Hands-on exercises: 1 hour |Hands-on |

|Settings and steps | |

|Discussions | |

|Summary: 15 minutes |Learning effect |

4 Course Schedule Summary

|Wk |Topic |Readings |Classroom: techniques (1.5 hours) |

| |(problem) |(textbook) | |

|1 |1 |Basic security concepts |Email attack in SMTP |

|2 |2 |Encryption basics |Openssl, cryptool, and JCE installation and demo |

|3 |3 |DES and AES |DES and AES with openssl, JCE, and cryptool |

|4 |4 |RSA encryption |RSA encryption with openssl, JCE and cryptool |

|5 |5 |Integrity check |Hash, MAC, and RSA signature |

|6 |6 |Certification and PKI |Email security with free certificates |

|7 | |Password authentication |Midterm |

|9 | |Strong authentication |Review of midterm |

|10 |7 |Access control |Security manager in JCE |

|11 |8 |Internet security |Password cracking, firewall and intrusion detection in SAS |

| | | |lab. |

5.3 Weekly plan

|Week: 1 |

|Session 1: |

|Introduction to the course |

|Basic security concepts |

|Session 2: |

|Networking basics and email attack |

|Project team formation |

|Reference: |

|Chapter 1 and 7.1 |

|Things to ensure: |

|Course material is available for download from the course web site |

|Students must be assigned into groups for project |

|Week: 2 |

|Session 1: |

|Ancient ciphers: Caesar, Vigenere, Zimmermann, columnar transposition |

|Security analysis of ancient ciphers |

|Session 2: |

|Installation of JCE cryptool and Openssl |

|Test for the tools |

|Reference: |

|Chapter 2.1-2.4 |

|Things to ensure: |

|Students understand two basic encryption techniques: substitution and transposition |

|JCE, cryptool and openssl are correctly installed for hands-on exercise in the following weeks |

|Week: 3 |

|Session 1: |

|DES: history and details |

|AES: history and details |

|Session 2: |

|Use both Openssl and JCE for DES and AES encryption and decryption |

|Reference: |

|Chapter 2.5-2.6, 10.2 |

|Things to ensure: |

|Students know the security status of DES and AES |

|Students know how to use DES and AES in Openssl and JCE |

|Week: 4 |

|Session 1: |

|Asymmetric encryption with RSA |

|Session 2: |

|Use Openssl and JCE for generating RSA keys and for performing RSA encryption |

|Reference: |

|Chapter 2.7-2.8, 10.3 |

|Things to ensure: |

|Students understand the security of RSA encryption |

|Students know how to generate RSA keys and use RSA keys in Openssl and JCE |

|Assignment 1 due and review |

|Week: 5 |

|Session 1: |

|Hash functions (MD5 and SHA1) |

|MAC (HMAC and DES-MAC) |

|RSA signature |

|Compare MAC with RSA signature for message integrity check |

|Session 2: |

|Use JCE for message integrity check with HMAC and RSA signature |

|Reference: |

|Chapter 2.8, 10.3 |

|Things to ensure: |

|Students understand the security status of hash functions |

|Students understand the differences between MAC and RSA signature |

|Students know how to use JCE for integrity check with MAC and RSA signature |

|Week: 6 |

|Session 1: |

|Impersonation problem and the need of using certificates |

|X. 509 certificate format |

|CRL |

|Session 2: |

|Email security (S/MIME and PGP) |

|Signed and/or encrypted email with COMODO certificates in Outlook |

|Reference: |

|Chapter 2.8, 7.6 |

|Things to ensure: |

|Understand why and how to use certificates and CRLs |

|Know how to use Outlook to send signed and/or encrypted emails |

|Week: 7 |

|Session 1: |

|quiz |

|Session 2: |

|weak authentication with passwords |

|Unix passwords |

|Windows LM hash and NTLM hash |

|Password attacks |

|Reference: |

|Chapter 4.5 |

|Things to ensure: |

|Understand how passwords are stored in computers |

|Week: 8 (Recess week: no class) |

|Session 1: |

|Session 2: |

|Reference: |

|Things to ensure: |

|Week: 9 |

|Session 1: |

|Strong authentication (Lamport, challenge response, time synchronization) |

|NTLMv1 and NTLMv2 |

|Session 2: |

|Internet security (SSL, firewall, IDS) |

|Reference: |

|Chapter 4.5, 7.3 |

|Things to ensure: |

|Understand why strong authentication is securer than weak authentication |

|Understand how passwords are verified in Windows |

|Understand the fundamentals of SSL, firewall and IDS |

|Understand how to protect information systems in banks (case study) |

|Project draft is due |

|Week: 10 |

|Session 1: |

|Access control models: DAC, MAC, RBAC |

|Session 2: |

|Java SecurityManager |

|Reference: |

|Chapter 4.1-4.4, 5.1-5.3 |

|Things to ensure: |

|Know how to use java SecurityManager to enforce access control |

|Assignment 2 covers weeks 9 and 10 |

|Week: 11 |

|Session 1: |

|Lab exercise for password cracking |

|Session 2: |

|Lab exercise for using firewall and IDS |

|Reference: |

|Lab instructions |

|Things to ensure: |

|Know how to use SAS-SMU Enterprise Intelligence Lab for password cracking, firewall configuration, and intrusion detection |

|Assignment 2 due and review |

|Week: 12 (project presentation: teams 1-5) |

|Session 1: |

|Session 2: |

|Reference: |

|Things to ensure: |

|Invited talk from industry on information security best practice |

|Week: 13 (project presentation and demo: teams 6-10) |

|Session 1: |

|Session 2: |

|Reference: |

|Things to ensure: |

|Learning information security trends from each other |

|Week: 14 (review week: no class) |

|Session 1: |

|Session 2: |

|Reference: |

|Things to ensure: |

|Project report is due |

|Week: 15 (exam week: no class) |

|Session 1: |

|Session 2: |

|Reference: |

|Things to ensure: |

|Final exam |

List of Information Resources and References

Textbook: Security in Computing (4th edition) by Charles P. Pfleeger and Shari L. Pfleeger, Prentice Hall, 2007

Other reading material and reference websites are available in the course slides

Tooling

|Tool |Description |Remarks |

|Open SSL, JCE, CrypTool |Security tools in Windows and Java |Hands-on exercises and demo |

|PPA, IPtable, snort |Password cracking, firewall, and IDS |Lab exercises |

Learning Outcomes, Achievement Methods and Assessment

|  |IS302 - Information Security and Trust |  |Course-specific core competencies which address |Faculty Methods |

| | | |the Outcomes |to Assess Outcomes |

|1 |Integration of business & technology in a sector |  | | |

| |context | | | |

|  |1.1 Business IT value linkage skills |YY |Identify the security properties of enterprise |Execute and grade lab exercises |

| | | |information systems | |

| | | | |Grade and give feedback to individual |

| | | |Analyze the security tradeoffs to be made in |assignments |

| | | |design of enterprise information systems | |

| | | | |Grade and give feedback to group |

| | | |List basic design principles of protecting |project |

| | | |enterprise information systems | |

| | | | | |

| | | |Identify major security technologies/components | |

| | | |that are most effective for protecting enterprise| |

| | | |information systems | |

| | | | | |

| | | |Explain the future trend of security technologies| |

| | | |that will generate significant impact to practice| |

|  |Ability to understand & analyze the linkages between: |  | | |

|  |a) Business strategy and business value creation |  | | |

|  |b) Business strategy and information strategy |  | | |

|  |c) Information strategy and technology strategy |YY | | |

|  |d) Business strategy and business processes |  | | |

|  |e) Business processes or information strategy or |  | | |

| |technology strategy and IT solutions | | | |

|  |1.2 Cost and benefits analysis skills | | | |

|  |Ability to understand and analyze: |  | | |

|  |a)  Costs and benefits analysis of the project | | | |

|  |1.3 Business software solution impact analysis skills | | | |

|  |Ability to understand and analyze: |  | | |

|  |a) How business software applications impact the |  | | |

| |enterprise within a particular industry sector. | | | |

|  |  |  | | |

|2 |IT architecture, design and development skills |  | | |

|  |2.1 System requirements specification skills |Y |Perform basic security functions with tools |Grade assignments 1 and 2 |

| | | |Crytool, openssl and JCE | |

| | | | |Execute and grade lab exercises |

| | | |Identify the security requirements for enterprise| |

| | | |information systems |Real case studies and invited talks |

| | | | |from industry with questions included |

| | | |Design effective and efficient solutions to |and graded in the final exam |

| | | |protect enterprise information systems | |

| | | | | |

| | | | |Grade and give feedback to project |

|  |Ability to: |  | | |

|  |a)  Elicit and understand functional requirements from |  | | |

| |customer | | | |

|  |b)  Identify non functional requirements (performance, |Y | | |

| |availability, reliability, security, usability etc…) | | | |

|  |c)  Analyze and document business processes |Y | | |

|  |2.2 Software and IT architecture analysis and design |Y |Analyze the vulnerability of network in a web |Execute and grade lab exercises |

| |skills | |application scenario and apply intrusion | |

| | | |detection and firewall techniques to eliminate | |

| | | |the vulnerability | |

|  |Ability to: |  | | |

|  |a)  Analyze functional and non-functional requirements |Y | | |

| |to produce a system architecture that meets those | | | |

| |requirements. | | | |

|  |b) Understand and apply process and methodology in |Y | | |

| |building the application | | | |

|  |c)  Create design models using known design principles |Y | | |

| |(e.g. layering) and from various view points (logical, | | | |

| |physical etc…) | | | |

|  |d)  Explain and justify all the design choices and |Y | | |

| |tradeoffs done during the application's development | | | |

|  |2.3 Implementation skills |Y |Use cryptool, openssl and JCE to design and |Execute and grade lab exercises and |

| | | |implement security techniques for network |project |

| | | |security and access control | |

|  |Ability to: |  | | |

|  |a)  Realize coding from design and vice versa |Y | | |

|  |b)  Learn / practice one programming language |Y | | |

|  |c)  Integrate different applications (developed |  | | |

| |application, cots software, legacy application etc…) | | | |

|  |d)  Use tools for testing, integration and deployment |Y | | |

|  |2.4 Technology application skills |Y |Understand and know how to use major security |Execute and grade lab exercises |

| | | |building blocks including hash, encryption and | |

| | | |decryption, signature, certificates, password | |

| | | |authentication, firewall, intrusion detection, | |

| | | |and access control | |

|  |Ability to: |  | | |

|  |a)      Understand, select and use appropriate |Y | | |

| |technology building blocks when developing an | | | |

| |enterprise solution (security, middleware, network, | | | |

| |IDE, ERP, CRM, SCM etc…) | | | |

|  |  |  | | |

|3 |Project management skills |  | | |

|  |3.1 Scope management skills | | | |

|  |Ability to: |  | | |

|  |a)      Identify and manage trade-offs on | | | |

| |scope/cost/quality/time | | | |

|  |b)      Document and manage changing requirements |  | | |

|  |3.2 Risks management skills | | | |

|  |Ability to: |  | | |

|  |a)      Identify, prioritize, mitigate and document | | | |

| |project’s risks | | | |

|  |b)      Constantly monitor projects risks as part of |  | | |

| |project monitoring | | | |

|  |3.3 Project integration and time management skills | | | |

|  |Ability to: |  | | |

|  |a)      Establish WBS, time & effort estimates, |  | | |

| |resource allocation, scheduling etc… | | | |

|  |b)      Practice in planning using methods and tools |  | | |

| |(Microsoft project, Gantt chart etc…) | | | |

|  |c)      Develop / execute a project plan and maintain |  | | |

| |it | | | |

|  |3.4 Configuration management skills | | | |

|  |Ability to: |  | | |

|  |a)      Understand concepts of configuration mgt and |  | | |

| |change control | | | |

|  |3.5 Quality management skills | | | |

|  |Ability to: |  | | |

|  |a)  Understand the concepts of Quality Assurance and |  | | |

| |Quality control (Test plan, test cases …) | | | |

|  |  |  | | |

|4 |Learning to learn skills |  | | |

|  |4.1 Search skills | | | |

|  |Ability to: |  | | |

|  |a) Search for information efficiently and effectively | | | |

|  |4.2 Skills for developing a methodology for learning | | | |

|  |Ability to: |  | | |

|  |a) Develop learning heuristics in order to acquire new| | | |

| |knowledge skills (focus on HOW to learn versus WHAT to | | | |

| |learn ). | | | |

|  |b) Abide by appropriate legal, professional and |  | | |

| |ethical practices for using and citing the intellectual| | | |

| |property of others | | | |

|  |  |  | | |

|5 |Collaboration (or team) skills: |  | | |

|  |5.1 Skills to improve the effectiveness of group |Y |Effectively communicate and resolve conflicts |Grade and give feedback to project |

| |processes and work products | |while working in a randomly chosen team | |

|  |Ability to develop: |  | | |

|  |a)  Leadership skills |  | | |

|  |b)  Communication skills |  | | |

|  |c)  Consensus and conflict resolution skills | | | |

|  |  |  | | |

|6 |Change management skills for enterprise systems |  | | |

|  |6.1 Skills to diagnose business changes | | | |

|  |Ability to: |  | | |

|  |a)      Understand the organizational problem or need | | | |

| |for change (e.g. Analyze existing business processes or| | | |

| |“as-is process”) | | | |

|  |6.2 Skills to implement and sustain business changes | | | |

|  |Ability to: |  | | |

|  |a)      implement the change (e.g. advertise / |  | | |

| |communicate the need for change etc..) and to sustain | | | |

| |the change over time | | | |

|  |  |  | | |

|7 |Skills for working across countries, cultures and |  | | |

| |borders | | | |

|  |7.1 Cross-national awareness skills | | | |

|  |Ability to: |  | | |

|  |a) Develop cross-national understandings of culture, |  | | |

| |institutions (e.g. law), language etc… | | | |

|  |7.2 Business across countries facilitation skills | | | |

|  |Ability to: |  | | |

|  |a)  Communicate across countries |  | | |

|  |b)   Adapt negotiation and conflict resolution |  | | |

| |techniques to a multicultural environment | | | |

|  |  |  | | |

|8 |Communication skills |  | | |

|  |8.1 Presentation skills |Y |Prepare and deliver an effective and efficient |Grade and give feedback to project |

| | | |presentation on a new information security topic.| |

|  |Ability to: |  | | |

|  |a)  Provide an effective and efficient presentation on | | | |

| |a specified topic. | | | |

|  |8.2 Writing skills |Y |Write survey report on a new information security|Grade and give feedback to project and|

| | | |topic. |individual assignments |

|  |Ability to: |  | | |

|  |a)  Provide documentation understandable by users | | | |

| |(Requirements specifications, risks management plan, | | | |

| |assumptions, constraints, architecture choices, design | | | |

| |choices etc…) | | | |

| | | | | |

|Y | This sub-skill is covered partially by the course | | | |

|YY |This sub-skill is a main focus for this course | | | |

-----------------------

[pic]

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download