MSIT 458: Information Security and Assurance

Winter 2010

Yan Chen

I.                 Course description:

The past decade has seen an explosion in the concern for the security of information. This course introduces students to the basic principles and practices of computer and information security.  Focus will be on the software, operating system and network security techniques with detailed analysis of real-world examples. Topics include cryptography, authentication, software and operating system security (e.g., buffer overflow), Internet vulnerability (DoS attacks, viruses/worms, botnets, etc.), intrusion detection systems, firewalls, VPN, Web and wireless network security. 

II.                 Required text and/or other materials:

• Network Security - Private Communication in a Public World, by Charlie Kaufman, Radia Perlman and Mike Speciner, 2nd Edition, Prentice Hall, 2002.

• Cryptography and Network Security, by William Stallings, 4^th Edition, Prentice Hall, 2006.

III.               Reference text and/or other materials:

• Writing Secure Code, Michael Howard and David LeBlanc, Microsoft Press, 2002.

• Security in Computing, Charles Pfleeger, Shari Lawrence Pfleeger, 3rd Edition, Prentice Hall, 2002.

• Firewalls and Internet Security: Repelling the Wily Hacker, 2^nd edition, by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Addison Wesley, 2003.

• Lecture Notes on Cryptography, by S. Goldwasser and M. Bellare.

• Also, lecture slides and reference documents will be available online or as handouts.

IV.              Required prerequisites or knowledge base

• 421 Principles of Computer and Information Technology

• 432 Communications Networks I

V.                 Rationale for inclusion in MSIT Program:

This course provides students with an extensive understanding of information security management with emphasis on network security.  Whereas other courses provide an overview of the basics of the discipline, information security is simultaneously a technical and managerial discipline with enterprise-wide implications for employees, operations and systems at every level.  For organizations to successfully implement and manage an effective and efficient security program while managing shifting risks associated with interrelated information technology and decision-making employees, contractors, vendors, and suppliers must understand the concepts, technologies and practices of information security and be able to apply them effectively in their own distinctive areas of responsibility.

VI.              Course goal:

• Understand the fundamental principles and underlying technologies of information security and assurance;

• Illustrate the security principles with the state-of-the-art security technologies and products through case studies.

VII.            Course Objectives:

Upon successful completion of this course, the student should be able to:

• Understand the basic principles for information and communication security, and be able to apply these principles to evaluate and criticize information system security properties.

• Be able to identify the vulnerability of the Internet systems and recognize the mechanisms of the attacks, and apply them to design and evaluate counter-measure tools.

VIII.         Course topics/content (by week):

Week 1 (January 9) [crypto.ppt]
Cryptography symmetric/asymmetric encryption (Stallings Chapters 2, 3 and 9, KPS Chapters 2, 3 and 5)

• Symmetric encryption case study: DES/AES algorithms

• Asymmetric encryption case study: RSA

• One-way hash function and message digests: MD5, SHA1, SHA2

• Items Due on 1/18:

  • Project part 1, for each individual student

  • Botnet presentation slides for the Wanderers (Defense), the Chinchillas (Offense).

  • Botnet paper summary for the other four groups.

Week 3 (January 23 morning, week 2 class rescheduled) [authentication.ppt]
User authentication and authorization and malcode overview (KPS Chapters 9 and 10)

• Authentication mechanisms: password authentication, challenge-response authentication protocols, biometrics, token-based authentication (smart card)

• Authentication in distributed systems (case study: Microsoft Passport system and Kerberos)

• Invited talk by Jibran Ilyas, Security Consultant, Forensics at Trustwave.

• Related paper: Password Security: A Case History, R. Morris and K. Thompson, Communications of ACM, vol.22 no.11, 1979.

Week 3 (January 23 afternoon) [malcode.ppt]
Internet vulnerability: malcode, worms and botnets (Stallings Chapter 19)

• Overview on various malcode: virus, worms, botnets, Trojan horses, etc.

• Related paper: A Taxonomy of Computer Worms, N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, the First ACM Workshop on Rapid Malcode (WORM), 2003.

• Related paper (DEBATE): Taxonomy of Botnet Threats, Trend Micro White Paper, November 2006. the Wanderers (Defense), the Chinchillas (Offense).
  [Reference] A Survey of Botnet Technology and Defenses, M. Bailey, et al. in the Proc. of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

• Items Due on 1/27:

  • Homework 1

Week 4 (January 30) [invited talk]
Security Policy and Penetration Testing.

• Analysis of worms: target discovery, carrier, activation mechanisms, payload and attackers.

• Invited talk on penetration testing and security policy by Brandon Hoffman, IT Advisory - Midwest, KPMG, LLP.

• Network/Vulnerability scanner (case study: nmap and nessus (demo)).
  We will do a lab for nmap. Before that, you need to download nmap to you computer by following the instructions.

• Items Due:

  • Project problem statement presentation slides from each group, due on Feb. 1

  • Homework 2, due on Feb. 3.

Week 5 (February 6) [DoS.ppt][Metasploit.pdf]
Internet vulnerability: denial of service (DoS) attacks and Threat Trend (Stallings Ch.18 and 19)

• Demo of Metasploit. Thanks Adam Lasser for another advanced Metasploit demo!

• Point-to-point DoS attacks

• Distributed DoS attacks (case study: TCP SYN flooding attacks)

• Related paper: Detecting SYN Flooding Attacks, H. Wang, D. Zhang, and K. G. Shin, in Proc. of IEEE INFOCOM, 2002  [Full version is at Change-Point Monitoring for Detection of DoS Attacks,  H. Wang, D. Zhang, and K. G. Shin, in IEEE Transactions on Dependable and Secure Computing, Vol. 1, No. 4, December 2004.].

• Project problem statement presentation and feedback from each group

  • Secure Remote Access by the Asian Connection and Craig.

  • Network Access Control by the Chinchillas.

  • HIPPA Compliance by Fantastic Four.

  • Securing External Data Transmission by Fine Tuned Machines.

  • Security of Outsourced IT Work by Hi-5.

  • Securing Confidential Data within a Business by the Wanderers.

• Items Due:

  • Web security presentation slides for Fantastic Four (Defense), the Asian Connection and Craig (Offense) by Feb. 8.

  • Web security summary for the other four groups by Feb. 10.

  • Homework 3: For those who have high vulnerabilities found in their homework 2, please fix as much as you can, and send me another nessus scan report with updated results. In your report, please give a list of original high vulnerabilities and be specific on which one(s) you have fixed. Due by Feb. 10. You can send it together with your paper summary.

  Note: please also read the related paper on Web vulnerability analysis. It will be great if you can incorporate that into your presentation slides and paper summary

Week 6 (February 13) [web.ppt] [principle.ppt]

WWW Security and Defense, Software Security

• Cross site scripting, SQL injection, shell attacks, etc. (demo tutorial).

• Symantec Report: Rogue Security Software, November 2009.

• Related paper (DEBATE): Web Based Attacks, Symantec white paper, Feb. 2009. Here is the related podcast from Symantec. Fantastic Four (Defense), the Asian Connection and Craig (Offense).

• Related paper: Vulnerability Analysis of Web-Based Applications, Marco Cova, Viktoria Felmetsger, Giovanni Vigna, Chapter in ``Test and Analysis of Web Services", Springer, September 2007. [reference slides].

• Items Due on Feb. 17, homework 4:
  1. KPS 25-8
  2. Lean how to use an online password cracking program called Hydra. Running off of a word list, Hydra speeds up the process of cracking weak password by running multiple instances of the attack against a specified service (e.g. SSH, which defaults to 16 simultaneous threads). Word lists form the backbone of this attack and can be found all over the internet. For this homework, you can use a short wordlist from the Openwall wordlists collection.
  Your task is to use hydra to crack an account (username: guy) with a weak password at netsec-demos.cs.northwestern.edu. Use nmap to figure out services on this machine for cracking. Everyone needs to submit a report for his/her results. Note that you may need to limit the parallel tasks to be no more than four or it'll be overloaded. Below is a sample results from a Linux machine.
  Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
  Hydra (http://www.thc.org) starting at 2010-02-12 21:02:03
  [DATA] 4 tasks, 1 servers, 27424 login tries (l:1/p:27424), ~6856 tries per task
  [DATA] attacking service xxx on port xxx
  [xx][xxx] host: 165.124.184.193 login: guy password: yyy
  [STATUS] attack finished for netsec-demos.cs.northwestern.edu (waiting for childs to finish)
  Hydra (http://www.thc.org) finished at 2010-02-12 21:02:22

Week 7 (February 20) [IDS.ppt][snort.ppt] [firewalls.ppt]
Intrusion Detection/Prevention Systems and Firewalls (Stallings Chapter 18 and 20)

• Case study on IDS/IPS: snort IDS. Thanks Craig for giving a cool demo!

• Different types of firewalls: packet filters, application gateway, and circuit gateway.

• Handout from Chapter 9 of Firewalls and Internet Security: Repelling the Wily Hacker.

• Items Due:

  • Homework 5, due on Feb. 24.

  • wireless security presentation slides for Hi-5 (Defense), and Fine Tuned Machines (Offense), due on Feb. 22.

  • wireless security paper summary for the other four groups, due on Feb. 24.

Week 8 (February 27) [wirelessSec.ppt] [wirelessSec_compliance.pdf]
Wireless network security, its related compliance, and technology integration.

• Technology integration for wireless network security and compliance.

• Secure Wireless for Regulatory Compliance by Gartner analyst John Pescatore

• Related paper (DEBATE): Wireless and Network Security Integration Solution Overview, Cisco Inc. Here are more detailed guidelines on the solutions (i.e., expanding the overview). Hi-5 (Defense), and Fine Tuned Machines (Offense).

• Items Due on March 3:

  • Homework 6

Week 9 (March 6)[invited.pdf] [ipsec.ppt]
Security Industry Consolidation and IPSec (Stallings Chapters16 and KPS Chapter 17)

• Invited talk by Kurtis Minder, CISSP, Global Account Manager, Fortinet Inc.

• IPSec architecture, transport vs. tunnel mode, practical issues w/ NAT.

• Items Due on Mar 8: presentation slides for project part III.

Week 10 (March 13)
Information security in real business presentation by each group (proposed solutions and analysis)

• Securing Confidential Data within a Business by the Wanderers.

• Security of Cloud Computing by Hi-5.

• Securing External Data Transmission by Fine Tuned Machines.

• Effectively Managing System Configuration by Fantastic Four.

• Network Access Control by the Chinchillas.

• Secure Remote Access by the Asian Connection and Craig.

The lecture notes have incorporated course materials developed by Dan Boneh (Stanford), Wenke Lee (Georgia Tech), David Lie (U Toronto), Aleph One, Martin Roesch (Sourcefire Inc.), and David Dittrich (University of Washington).

IX. Teaching methods: lectures, paper presentations, debate, project, and homework.

X. Assignments

There will be several group-based homework assignments so that students can reflect on what they learn in each class and try to apply them. In the beginning of each class, I will randomly pick some student(s) to report their answers (and reasoning!) to the homework as warm-up for each class. This will be considered as individual performance in this course.

In addition, students are expected to engage in technical paper reading, making presentations and debate. These papers are carefully selected (with little math!) which can be understood with the basic information security and networking knowledge. There will be three debates with one group as defense and one group as offense. The defense team will make 30-minute presentation on the main idea/techniques of the paper while the offense team will make a 15-minute presentation on the drawbacks/shortcomings of the approach. Then we will discuss and summarize the findings.

All of the assignments, including homework, presentation draft, and paper summaries, are due on Monday midnight of corresponding weeks. For presentation draft, I will give comments on the following Tue or Wed for revision. Presentation groups do not need to submit paper summaries.

Your summary should include at least:

• Paper title and its author(s).

• Brief one-line summary.

• A paragraph of the one or two most significant new insight(s) you took away from the paper.

• A paragraph of the one or two most significant flaw(s) of the paper: maybe an experiment was poorly designed or the main idea had a narrow scope or applicability. Being able to assess weaknesses as well as strengths is an important skill for this course and beyond.

• A last paragraph where you state the relevance of the ideas today, potential future research suggested by the article, etc.

Project: each group will work on a quarter-long project called Information Security in Real Business with the following steps.

1. Understanding the security requirements in your corporate/organization, using the four cornerstones of secure computing introduced in the class. Please describe the requirement, how your corporate/organization handles that requirement and what remains to be done to fully satisfy that requirement. The requirement does not need to be restricted to a technical one, but can be related to legal, business, social, or anything to do with information security.

   This is required for each student. In the submission, please also give suggestions on the current syllabus, e.g., important topics which are currently missing, interesting extra teaching materials that you are aware of, etc. I will try to make adjustment based on the suggestions. The suggestion part is optional. It will not affect your grade if you don't have any.

2. Based on the requirements, pick one problem that most of your group members have interest in, and it is not yet well solved in your corporate/organization. If you are uncomfortable talking about your employers security practices, you can anonymize the name or use a hypothetical case but reflects the real problems in industry. Formulate a security problem and do some research on the related work. Please show why this problem is a general one that comes across multiple industry/education/government sectors. Each group is expected to give a short presentation (5 minute) to seek synergy and early feedback from other students and the instructor (maximal another 5 minutes for each group) in week 5.

3. Then please analyze the pros and cons on the existing work, and propose a solution to the problem you formulated, by either adopting existing solutions, or propose something new. Please be specific on how you will implement or have implemented the solutions, the cost/risk analysis, feasibility analysis, business/legal consequence, how this solution will fit different corporate context, like industry, education, government, etc. Each group is expected to give a final project presentation in the class of week 10.

XI. Grading criteria

• Class participation and discussions (including quizzes): 30%

• Paper summary and debate: 20%

• Homework assignments (including individual tests of homework in class): 30%

• Project submission and presentation: 20%

XII.Instructor profile

Yan Chen is an Associate Professor in the Department of Electrical Engineering and Computer Science at Northwestern University. He got his Ph.D. in Computer Science from the University of California at Berkeley in 2003. He has over ten years of experience in network security, network and distributed system measurement and diagnosis, for both wired and wireless networks. He won the Department of Energy (DOE) Early CAREER award in 2005, the DoD (Air Force of Scientific Research) Young Investigator Award in 2007, and the Microsoft Trustworthy Computing Awards in 2004 and 2005 with his colleagues. His research is also sponsored by National Science Foundation (NSF) and Motorola. In addition to the industry sponsors, he has widely collaborated with industry researchers from Microsoft, AT&T, Motorola, Yahoo, Keynote, and the Internet Storm Center of the SANS (SysAdmin, Audit, Network, Security) Institute. According to Google Scholar, his papers have been cited for more than 2,600 times.

He started several security courses at Northwestern University, including the EECS 350 Introduction to Computer Security, EECS 354 Network Penetration and Security, and EECS 450 Internet Security. He was awarded as a Searle Junior Fellow by the Searle Center for Teaching Excellence of Northwestern University in 2004.