MSIT 458: Information Security and Assurance

Yan Chen

I.                 Course description:

The past decade has seen an explosion in the concern for the security of information. This course introduces students to the basic principles and practices of computer and information security.  Focus will be on the software, operating system and network security techniques with detailed analysis of real-world examples. Topics include cryptography, authentication, software and operating system security (e.g., buffer overflow), Internet vulnerability (DoS attacks, viruses/worms, botnets, etc.), intrusion detection systems, firewalls, VPN, Web and wireless network security. 

II.                 Required text and/or other materials:

• Network Security - Private Communication in a Public World, by Charlie Kaufman, Radia Perlman and Mike Speciner, 2nd Edition, Prentice Hall, 2002.

• Cryptography and Network Security, by William Stallings, 4^th Edition, Prentice Hall, 2006.

III.               Reference text and/or other materials:

• Writing Secure Code, Michael Howard and David LeBlanc, Microsoft Press, 2002.

• Security in Computing, Charles Pfleeger, Shari Lawrence Pfleeger, 3rd Edition, Prentice Hall, 2002.

• Firewalls and Internet Security: Repelling the Wily Hacker, 2^nd edition, by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Addison Wesley, 2003.

• Lecture Notes on Cryptography, by S. Goldwasser and M. Bellare.

• Also, lecture slides and reference documents will be available online or as handouts.

IV.              Required prerequisites or knowledge base

• 421 Principles of Computer and Information Technology

• 432 Communications Networks I

V.                 Rationale for inclusion in MSIT Program:

This course provides students with an extensive understanding of information security management with emphasis on network security.  Whereas other courses provide an overview of the basics of the discipline, information security is simultaneously a technical and managerial discipline with enterprise-wide implications for employees, operations and systems at every level.  For organizations to successfully implement and manage an effective and efficient security program while managing shifting risks associated with interrelated information technology and decision-making employees, contractors, vendors, and suppliers must understand the concepts, technologies and practices of information security and be able to apply them effectively in their own distinctive areas of responsibility.

VI.              Course goal:

• Understand the fundamental principles and underlying technologies of information security and assurance;

• Illustrate the security principles with the state-of-the-art security technologies and products through case studies.

VII.            Course Objectives:

Upon successful completion of this course, the student should be able to:

• Understand the basic principles for information and communication security, and be able to apply these principles to evaluate and criticize information system security properties.

• Be able to identify the vulnerability of the Internet systems and recognize the mechanisms of the attacks, and apply them to design and evaluate counter-measure tools.

VIII.         Course topics/content (by week):

Week 1 (March 28) [crypto.ppt]
Cryptography symmetric/asymmetric encryption (Stallings Chapters 2, 3 and 9, KPS Chapters 2, 3 and 5)

• Symmetric encryption case study: DES/AES algorithms

• Asymmetric encryption case study: RSA

• One-way hash function and message digests: MD5, SHA1, SHA2

• Items Due on April 2:

  • Homework 1, for each group

  • Project part 1, for each individual student

Week 2 (April 4) [authentication.ppt]
User authentication and authorization and malcode overview (KPS Chapters 9 and 10)

• Authentication mechanisms: password authentication, challenge-response authentication protocols, biometrics, token-based authentication (smart card)

• Authentication in distributed systems (case study: Microsoft Passport system and Kerberos)

• Internet Security Report from Symantec, April 2008.

• Related paper: Password Security: A Case History, R. Morris and K. Thompson, Communications of ACM, vol.22 no.11, 1979.

• Items Due (all group based):

  • April 9: Homework 2.

  • Apirl 5: Botnet presentation slides for Mag5 (Defense), AVATAR (Offense).

  • Apirl 9: Botnet paper summary for the other five groups.

Week 3 (April 11) [malcode.ppt]
Internet vulnerability: malcode, worms and botnets (Stallings Chapter 19)

• Overview on various malcode: virus, worms, botnets, Trojan horses, etc.

• Analysis of worms: target discovery, carrier, activation mechanisms, payload and attackers.

• Related paper: A Taxonomy of Computer Worms, N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, the First ACM Workshop on Rapid Malcode (WORM), 2003.

• Related paper (DEBATE): Taxonomy of Botnet Threats, Trend Micro White Paper, November 2006. Mag5 (Defense), AVATAR (Offense).
  [Reference]Detection and Mitigation of Fast-flux Service Networks, T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. In NDSS, 2008.

• Items Due:

  • April 16: Homework 3

Week 4 (April 18) [invited.ppt]
Security Policy and Penetration Testing.

• Invited talk on penetration testing and security policy by Brandon Hoffman, IT Advisory - Midwest, KPMG, LLP.

• Network/Vulnerability scanner (case study: nmap and nessus (demo))

• Related paper: Detecting SYN Flooding Attacks, H. Wang, D. Zhang, and K. G. Shin, in Proc. of IEEE INFOCOM, 2002  [Full version is at Change-Point Monitoring for Detection of DoS Attacks,  H. Wang, D. Zhang, and K. G. Shin, in IEEE Transactions on Dependable and Secure Computing, Vol. 1, No. 4, December 2004.].

• Items Due:

  • April 23: Homework 4.

  • Apirl 19: Botnet presentation slides for Jero Jewo+ESPN (Defense), Yuri+the Cheeseheads (Offense).

  • Apirl 23: Botnet paper summary for the other five groups.

Week 5 (April 25) [DoS.ppt] [web.ppt]
Internet vulnerability: denial of service (DoS) attacks and WWW Security and Defense (Stallings Ch.18 and 19)

• Point-to-point DoS attacks

• Distributed DoS attacks (case study: TCP SYN flooding attacks)

• Cross site scripting, SQL injection, shell attacks, etc. (demo tutorial).

• Related paper (DEBATE): Web Based Attacks, Symantec white paper, Feb. 2009. Jero Jewo+ESPN (Defense), Yuri+the Cheeseheads (Offense).

• Related paper: Vulnerability Analysis of Web-Based Applications, Marco Cova, Viktoria Felmetsger, Giovanni Vigna, Chapter in ``Test and Analysis of Web Services", Springer, September 2007. [reference slides].

• Items Due:

  • Apirl 26: presentation slides by each group for project part 2.

  • April 30: Homework 5

Week 6 (May 2)
Information security in real business presentation by each group (problem and related work)

• Impact on Confidentiality due to Insider Attacks by AVATAR.

• Website Attacks by Double Deuce.

• FIPPEX.com: Investor Relations Software by ESPN.

• Social Engineering: Real-World Examples by Jero Jewo.

• Database and Data Security by Mag 5