458: Information Security and Assurance
I.
Course description:
The
past decade has seen an explosion in the concern for the security of
information. This course introduces students to the basic principles and
practices of computer and information security. Focus will be on the
software, operating system and network security techniques with detailed
analysis of real-world examples. Topics include cryptography, authentication,
software and operating system security (e.g., buffer overflow), Internet
vulnerability (DoS attacks, viruses/worms, botnets, etc.), intrusion detection
systems, firewalls, VPN, Web and wireless network security.
II.
Required text and/or other materials:
o
Network
Security - Private Communication in a Public World, by Charlie Kaufman, Radia Perlman and Mike Speciner,
2nd Edition, Prentice Hall, 2002
o
Cryptography and
Network Security, by William Stallings, 4th Edition, Prentice
Hall, 2006
III.
Reference text and/or other materials:
o
Writing Secure Code, Michael Howard and David LeBlanc, Microsoft Press,
2002.
o
Security in Computing, Charles
Pfleeger, Shari
o
Firewalls and Internet Security: Repelling
the Wily Hacker, 2nd edition, by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Addison Wesley, 2003
o
Lecture
Notes on Cryptography, by S. Goldwasser and M. Bellare, available online at http://www-cse.ucsd.edu/users/mihir/papers/gb.html
o
Also,
lecture slides and reference documents will be available online or as handouts.
IV.
Required prerequisites or knowledge base:
421
Principles of Computer and Information Technology
432
Communications Networks I
V.
Rationale for inclusion in MSIT Program:
This
course provides students with an extensive understanding of information
security management with emphasis on network security. Whereas other courses provide an overview of
the basics of the discipline, information security is simultaneously a
technical and managerial discipline with enterprise-wide implications for
employees, operations and systems at every level. For organizations to successfully implement
and manage an effective and efficient security program while managing shifting
risks associated with interrelated information technology and decision-making
employees, contractors, vendors, and suppliers must understand the concepts,
technologies and practices of information security and be able to apply them
effectively in their own distinctive areas of responsibility.
VI.
Course goal:
1. Understand the fundamental principles and underlying technologies of
information security and assurance;
2. Illustrate the security principles with the state-of-the-art security
technologies and products through case studies.
VII.
Course Objectives:
Upon successful completion of this course, the student
should be able to:
·
Understand the basic
principles for information and communication security, and be able to apply
these principles to evaluate and criticize information system security
properties
·
Be able to identify the
vulnerability of the Internet systems and recognize the mechanisms of the
attacks, and apply them to design and evaluate counter-measure tools
VIII.
Course topics/content (by week):
Week 1
(March 29) [crypto.ppt]:
Cryptography
symmetric/asymmetric encryption (Stallings Chapters 2, 3 and 9, KPS Chapters
2, 3 and 5)
·
Symmetric encryption case study: DES/AES algorithms
·
Asymmetric
encryption case study: RSA
·
One-way hash function and message digests: MD5, SHA1,
SHA2
Week 2 (April 5) [authentication.ppt]:
User authentication and authorization and malcode
overview (KPS Chapters 9 and 10)
·
Authentication mechanisms: Password authentication,
challenge-response authentication protocols, biometrics, token-based
authentication (smart card),
·
Authentication in distributed systems (case study:
Microsoft Passport system)
·
Internet
Security Report from Symantec
·
Overview on various malcode:
virus, worms, botnets, Trojan horses, etc.
·
Related paper: Password
Security: A Case History, R. Morris and K. Thompson, Communications of ACM,
vol.22 no.11, 1979.
·
Items
Due:
1.
April
6: botnet presentation slides for Roadrunners (Defense), Xeon (Offense)
2.
April
11: project part 1, for each individual student
3.
April
11: botnet paper summary for the other three groups
Week 3
(April 12) [malcode.ppt]:
Internet vulnerability: malcode, worms and botnets (Stallings Chapter 19)
·
Analysis of worms: target
discovery, carrier, activation mechanisms, payload and attackers.
·
Related
paper: A
Taxonomy of Computer Worms, N. Weaver, V. Paxson, S. Staniford, and R.
Cunningham, the First ACM Workshop on Rapid Malcode (WORM), 2003.
·
Related
paper (DEBATE): A Multifaceted
Approach to Understanding the Botnet Phenomenon, M. A. Rajab, et al, ACM
IMC 2006. Road Runners (Defense), Xeon (Offense).
·
Items
Due:
1.
April
13: spam presentation slides for Weapons of Mass Propulsion (Defense), Excel
(Offense)
2.
April
18: spam paper summary for the other three groups
Week 4
(April 19) [DoS.ppt]:
Internet vulnerability: denial of service (DoS) attacks
(Stallings Ch.18 and 19)
·
Homework 1 is out.
·
Point-to-point DoS attacks
·
Distributed DoS attacks (case study: TCP SYN flooding
attacks)
·
Network/Vulnerability
scanner (case study: nmap and nessus (demo))
·
Related paper: Detecting SYN Flooding
Attacks, H. Wang, D. Zhang, and K. G. Shin, in Proc.
of IEEE INFOCOM, 2002 [Full version is at Change-Point Monitoring for
Detection of DoS Attacks, H. Wang, D. Zhang, and K. G. Shin, in IEEE Transactions on Dependable and Secure
Computing, Vol. 1, No. 4, December 2004.].
·
Related paper (DEBATE): Understanding the Network-Level Behavior of
Spammers, A.
Ramachandran and N. Feamster, ACM SIGCOMM 2006.
[reference
slides] Weapons of Mass Propulsion (Defense), Excel (Offense).
Week 5 (April 26) [invited_talk.pdf] [IDS.ppt] [snort.ppt]:
Network
Access Control and Intrusion Detection/Prevention Systems (Stallings Ch.18 and
19)
·
Invited
talk on Network Access Control by Kurtis Minder, CISSP, Mirage Networks Inc.
·
Case study on IDS/IPS: snort IDS.
·
Items
Due on April 27th: homework 1.
Week 6 (May 3) [pcidss.ppt] [healthcare.pdf]
[dshield.pdf]:
Security
issues in financial industry and healthcare
·
Invited
talk by Ronald Widitz, Senior Associate, Discover Financial Services.
·
CYBER TRUST and INNOVATION in HEALTH CARE: Where Code,
HIPAA and Fear meet (modified from Dr. Carol Diamond’s talk at NSF Cyber Trust
PI meeting 2008).
·
Security information fusion with Internet Storm Center (DShield).
·
Items Due on May 4th: presentation slides
by each group for project part 2.
Week 7 (May 10):
Firewalls [firewalls.ppt] (Stallings Chapter 20)
·
Different types of firewalls: packet filters,
application gateway, and circuit gateway.
·
Handout from Chapter 9 of Firewalls and
Internet Security: Repelling the Wily Hacker.
·
Information security in real business presentation by
each group (problem and related work)
o
A Secure Network for
All by Excel group
o
Keeping Laptops Secure
by WiMP group
o
VoIP Security by
Xeon group
o
Single Sign-on by Road
Runners group
o
Wirless
Authentication via EAP-FAST by Party of Five
Week 8 (May 17):
IPSec
[ipsec.ppt] (Stallings
Chapters16 and KPS Chapter 17)
·
In-class quiz.
·
IPSec architecture, transport vs. tunnel mode,
practical issues w/ NAT.
·
Case
study on penetration testing: metasploit
(metasploit
basics and code for
demo).
·
Secure Wireless for
Regulatory Compliance by Gartner analyst John Pescatore.
·
Items Due on May 25th: presentation slides
by Party of Five on wireless network
authentication (project part III).
Week 9 (May 31):
Wireless network security [wirelessSec.pdf]
and WWW Security and Defense [web.ppt]
·
cross site scripting, SQL injection, shell attacks, etc.
(demo
tutorial).
·
Technology integration for
wireless network security and compliance.
·
Wireless network authentication presentation
by Party of Five.
·
Items Due on June 1st: presentation slides by other
groups for project part III.
·
Note: we have the firewall handout available. Some students didn’t pick it up last
week. It can be a useful reference if
you need to select/configure firewall later.
Week 10 (June 7):
Software Security and Buffer Overflow [principle.ppt][bufferOverflow.ppt]bufferOverflowDefense.ppt]
·
Principles for building secure software systems
·
Case study: sendmail vs. qmail
·
Buffer overflow vulnerability and defense techniques
·
Information security in real business presentation by
each group (proposed solutions and analysis)
o
A Secure Network
for All by Excel group
o
Keeping Laptops Secure
by WiMP group
o
VoIP Security
by Xeon group
o
Single Sign-on
by Road Runners group
·
Related
papers:
o
Basic
Principles Of Information Protection, from “The Protection of Information
in Computer Systems”, by J. H. Saltzer and M. D. Schroeder
o
Qmail
handbook, Ch. 1, Introduction
to Qmail
o
Smashing
The Stack For Fun And Profit, Aleph One.
o
Buffer
Overflows: Attacks and Defenses for the Vulnerability of the Decade, Crispin Cowan, et al.
The lecture notes have
incorporated course materials developed by Dan Boneh (Stanford), Wenke Lee (
I.
Teaching methods: lectures, paper presentations, debate, project,
homework and exam.
II.
Assignments:
In
addition to two to three homework assignments, students are expected to engage
in technical paper reading, making presentations and debate. These papers are carefully selected (with
little math!) which can be understood with the basic information security and
networking knowledge. There will be
three debates with one group as defense and one group as offense. The defense team will make 25-minute
presentation on the main idea/techniques of the paper while the offense team
will make a 15-minute presentation on the drawbacks/shortcomings of the
approach. Then we will discuss and
summarize the findings.
Presentation
draft is due on Sun midnight of the presentation week. I will give comments on the following Mon or
Tue for revision. This deadline also apply to the project presentation
described below. For non-presenting
groups, the summary is due on Friday midnight before the presentation class.
Your summary should include
at least:
·
Paper title and its author(s).
·
Brief one-line summary.
·
A paragraph of the one or two most significant new
insight(s) you took away from the paper.
·
A paragraph of the one or two most significant flaw(s)
of the paper: maybe an experiment was poorly designed or the main idea had a
narrow scope or applicability. Being able to assess weaknesses as well as
strengths is an important skill for this course and beyond.
·
A last paragraph where you state the relevance of the
ideas today, potential future research suggested by the article, etc.
Project:
each group will work on a quarter-long project called Information
Security in Real Business with the following steps.
1)
Understanding
the security requirements in your corporate/organization, using the four
cornerstones of secure computing introduced in the class. Please describe the requirement, how your
corporate/organization handles that requirement and what remains to be done to
fully satisfy that requirement. The
requirement does not need to be restricted to a technical one, but can be
related to legal, business, social, or anything to do with information
security.
This
is required for each student. In the
submission, please also give suggestions on the current syllabus, e.g.,
important topics which are currently missing, interesting extra teaching
materials that you are aware of, etc. I
will try to make adjustment based on the suggestions. The suggestion part is optional. It will not
affect your grade if you don’t have any.
2)
Based
on the requirements, pick one problem that most of your group members have interest
in, you believe is not yet well solved in your corporate/organization. Formulate a security problem and do some
research on the related work. Please show how this problem is a general one
that comes across multiple industry/education/government sectors. Also, give pros and cons on the existing
work. Each group is expected to give a
presentation on this in the class of week 7.
3)
Propose
a solution to the problem you formulated, by either adopting existing
solutions, or propose something new. Please
be specific on how you will implement or have implemented the solutions, the
cost/risk analysis, feasibility analysis, business/legal consequence, how this
solution will fit different corporate context, like industry, education,
government, etc. Each group is expected to give a presentation on this in the
class of week 10.
III.
Grading criteria:
Class
participation and discussions 20%
Paper summary and debate 25%
Homework assignments
10%
Project submission and presentation 25%
Quiz 20%
IV.
Instructor profile:
Yan
Chen is an Assistant Professor in the Department of Electrical Engineering and
Computer Science at
Besides
publishing in premier conferences such as ACM SIGCOMM, he has served on the
technical program committee (TPC) of major networking and security conferences
such as ACM MOBICOM, IEEE INFOCOM, and IEEE ICNP. He started several security courses at