Course Design

Published on March 2017 | Categories: Documents | Downloads: 40 | Comments: 0 | Views: 312
of 19
Download PDF   Embed   Report

Comments

Content

Course Design Document IS302: Information Security and Trust

Version 4.7 17 December 2012

SMU School of Information Systems (SIS)

Table of Content 1
  Versions History ......................................................................................................................................3
  2
  Overview of Security and Trust Course ................................................................................................4
  3
  Output and Assessment Summary .........................................................................................................5
  Midterm quiz (15%; problem solving) ........................................................................................................5
  Class participation (10%) ............................................................................................................................6
  Project (25%) ...............................................................................................................................................6
  Final Exam (40%; close book) in week 15 ..................................................................................................7
  Grades release schedule ...............................................................................................................................7
  4
  Group Allocation for Assignments .........................................................................................................7
  5
  Classroom Planning .................................................................................................................................7
  5.1
  Course Schedule Summary .....................................................................................................................7
  5.2 Lab Exercises .........................................................................................................................................9
  5.3 Weekly plan ...........................................................................................................................................9
  6
  List of Information Resources and References ...................................................................................13
  7
  Tooling ....................................................................................................................................................13
  8
  Learning Outcomes, Achievement Methods and Assessment ...........................................................13
 

Course: Security and Trust

Page 2

SMU School of Information Systems (SIS)

1 Versions History
Version
V 1.0 V 2.0

Description of Changes
• Revised the design documents for weeks 7 – 11 based on discussions with Ravi Sandu and Ankit Fadia • Re-designed the project • Re-designed the lab session • Revised the prerequisites of the course, learning outcomes, and tooling • Revised course content and schedule • Strengthened handson exercise • Revised course content and schedule • Revised design document in new format • Revised project design • Revised learning outcomes • Revised design document in new format • Revised project topics • Revised project topics • Revised project design and topics

Author
Yingjiu Li Yingjiu Li

Date
31-12-2004 03-12-2005

V 2.1 V 2.2

Yingjiu Li Yingjiu Li

26-12-2005 07-08-2006

V 3.0

Yingjiu Li

28-12-2006

V 4.0 V 4.1

Yingjiu Li Yingjiu Li

03-12-2007 15-02-2008

V 4.2 V 4.3 V 4.4

Yingjiu Li Yingjiu Li Yingjiu Li

24-12-2008 02-11-2009 10-06-2010

V4.5 V4.6 V4.7

Yingjiu Li Yingjiu Li Yingjiu Li

02-01-2012 31-10-2012 17-12-2012

Course: Security and Trust

Page 3

SMU School of Information Systems (SIS)

2 Overview of Security and Trust Course
2.1 Synopsis

Security and Trust course provides both fundamental principles and technical skills for analyzing, evaluating, and developing secure systems in practice. Students will learn essentials about security models, algorithms, protocols, and mechanisms in computer networks, programs, and database systems. Classroom instruction will be integrated with hands-on exercises on security tools in Windows and Java language. 2.2 Prerequisites

Students should understand the basics of computer network, programming languages (Java, in particular), and information systems. 2.3 Objectives

Upon finishing the course, students are expected to: • Understand basic security concepts, models, algorithms and protocols. • Understand security requirements and constraints in some real world applications. • Be able to analyze the current security mechanisms. • Be aware of the current and future trends in security applications.

2.4

Basic Modules
Backgroundand andBasic BasicConcepts Concepts(1 (1week) week) Background

Applied Applied Cryptography Cryptography (4weeks) weeks) (4

NWSecurity Security NW (3weeks) weeks) (3

AccessControl Control Access (1week) week) (1

Course: Security and Trust

Page 4

Quizand andproject projectpresentation presentation(3 (3week) week) Quiz

SMU School of Information Systems (SIS)

2.5 • • •

Instructional Staff Professors: Robert Deng, Yingjiu Li, Xuhua Ding Instructional staff: to be updated Teaching assistant: to be updated

3 Output and Assessment Summary
Week 1 2 3 4 5 6 7 8 (Recess) 9 10 11 12 13 14 (Review) 15 Total Date Output Assessments 10 project groups Weighting in % Group Weighting Project 25% (report 10%, presentatio n 15%) Final exam 40% Assignment s 10% midterm quiz 15% Class participatio n 10% 10 15 40 90 100% Remarks Overview Enc to DES Enc to AES RSA, DH Hash,MAC,Sig Cert, PKI Password Password II and internet security AC password cracking, FW,IDS Invited talk from industry

Assignment 1 (due) Midterm Review midterm Lab, Assignment 2 due Project presentation and demo I Project Presentation and demo II Project report Final exam

5 15

5

Midterm quiz (15%; problem solving)

• •

1.5 hours (close-book) Cover the first 6 weeks.
Page 5

Course: Security and Trust

SMU School of Information Systems (SIS)

Class participation (10%)



Evaluated by the lecturers based on students’ participation in classroom discussions and grading on hands-on and lab exercises

Project (25%)
• • Teaming: each team consists of 4 to 5 members. The students form the teams by themselves. References: internet, textbook

Each team chooses a topic from the following list and conducts an open-ended investigation on the topic: 1. Web browser security 2. SSL security issues and solutions 3. Privacy leakage and control in online social networks 4. Authentication and anonymity in location based services 5. Android permission models and enforcement 6. iOS malware and detection 7. Android malware and detection 8. Trusted Platform Module (TPM) and its application 9. Password strength measurements 10. Anonymous communication 11. Keyloggers, 12. Security in cloud computing 13. Security in electronic payment • Grading: 25% 1. Presentation15%  Presentation organization 5%  Technical description 5%  Q&A 5% 2. Project report 10%  Breadth 5%  Depth 5% • Deliverables: Each team will write a project report on their findings, and deliver an oral presentation in class. The report is expected to be around 15 pages, using 11pt font, single column and single space format. The oral presentation should be delivered within 20~25 minutes plus 5~10 minutes Q&A. – Requirements: In both presentation and report, each team should: a) Describe the background of the related topic b) Identify major issues (problems, concerns, questions) in the field c) Address the identified issues with technical details d) Provide your own comments and analyses e) Give illustrative examples and case studies where appropriate f) List all references
Page 6

Course: Security and Trust

SMU School of Information Systems (SIS)

The project outline around 5 pages is due in week 9 before class and is not graded. The presentations are scheduled in weeks 12 and 13. The final report is due on week 15 Friday.

Final Exam (40%; close book) in week 15
• • Cover all material taught in class, including the invited talk and lab Multiple choice questions and short answer questions

Grades release schedule
Ex/Assignments Midterm Participation Final exam Group project before the next class before week 10 at the end of term at the end of term at the end of term

4 Group Allocation for Assignments
Each class is partitioned into 10 groups. The students form their own groups.

5 Classroom Planning
Teaching session: 3 hours Review: 15 minutes Solution techniques: 1 hour 30 minutes • Security problems and techniques • Analysis Hands-on exercises: 1 hour • Settings and steps • Discussions Summary: 15 minutes 5.1 Wk Course Schedule Summary Topic (problem) Background Readings (textbook) Chapter 1, Classroom: techniques (1.5 hours) Networking Classroom: hands-on (1.5 hours) Form project After-class reading and exercise Group
Page 7

Note Learning

Hands-on

Learning effect

1

Course: Security and Trust

SMU School of Information Systems (SIS)

7.1

2 3

Enc Basics DES-AES

2.1-2.4 2.5-2.6, 10.2

basics and security concepts Enc basics DES, AES

teams

formation and topic selection

OpenSSL and JCE OpenSSL and JCE Assignment 1 OpenSSL and JCE Assignment 1 review, Open SSL and JCE Open SSL, email security, windows cert mgt User authentication I Review of midterm Assignment 2 Assignment 1

4 5

RSA Integrity

2.7-2.8, 10.3 2.8, 10.3

RSA enc Hash, MAC, RSA sig Cert, PKI, CRL

Assignment 1 Assignment 1 due

6

Cert, PKI

2.8, 7.6

7

Quiz, user auth Recess User auth

4.5

Midterm

8 9

4.5, 7.3

10

AC

User authenticatio n II and internet security 4.1-4.4, 5.1- DAC, MAC, 5.3 RBAC

Project draft due, Assignment 2

Java Assignment 2 SecurityManag er

11

Internet Sec

Lab on pwd cracking 5 groups 5 groups

Lab on FW, IDS, and AC

Assignment 2 due Invited talk from industry Project report, Q&A

12 13 14 15

Proj Pres I Proj Pres II Review Final exam

Project report due

Course: Security and Trust

Page 8

SMU School of Information Systems (SIS)

5.2 Lab Exercises
The lab exercises shall be conducted in class, usually during the second half of the time allocated for the class. The students shall be provided with a lab document, detailing the activities to be conducted, and the instructor will guide the students where required. The results of the labs have to be submitted at the end of class. No later submissions will be accepted (unless otherwise instructed by the professor teaching the respective section). Week 1 2 3 4 5 6 7 9 10 11 Lab 1 2 3 4 5 6 Focus Basic security concepts Encryption basics DES and AES RSA encryption Integrity check Certification and PKI Password authentication Strong authentication Access control Internet security Lab Activity Email attack in SMTP Openssl, cryptool, and JCE installation and demo DES and AES with openssl, JCE, and cryptool RSA encryption with openssl, JCE and cryptool Hash, MAC, and RSA signature Email security with free certificates Midterm Review of midterm Security manager in JCE Password cracking, firewall and intrusion detection in SAS lab.

7 8

5.3 Weekly plan
Week: 1 Session 1: • Introduction to the course • Basic security concepts Session 2: • Networking basics and email attack • Project team formation Reference: • Chapter 1 and 7.1 Things to ensure: • Course material is available for download from the course web site • Students must be assigned into groups for project

Week: 2 Session 1: • Ancient ciphers: Caesar, Vigenere, Zimmermann, columnar transposition • Security analysis of ancient ciphers Session 2: • Installation of JCE cryptool and Openssl • Test for the tools Reference: • Chapter 2.1-2.4 Things to ensure: Course: Security and Trust Page 9

SMU School of Information Systems (SIS)

• Students understand two basic encryption techniques: substitution and transposition • JCE, cryptool and openssl are correctly installed for hands-on exercise in the following weeks

Week: 3 Session 1: • DES: history and details • AES: history and details Session 2: • Use both Openssl and JCE for DES and AES encryption and decryption Reference: • Chapter 2.5-2.6, 10.2 Things to ensure: • Students know the security status of DES and AES • Students know how to use DES and AES in Openssl and JCE

Week: 4 Session 1: • Asymmetric encryption with RSA Session 2: • Use Openssl and JCE for generating RSA keys and for performing RSA encryption Reference: • Chapter 2.7-2.8, 10.3 Things to ensure: • Students understand the security of RSA encryption • Students know how to generate RSA keys and use RSA keys in Openssl and JCE • Assignment 1 due and review

Week: 5 Session 1: • Hash functions (MD5 and SHA1) • MAC (HMAC and DES-MAC) • RSA signature • Compare MAC with RSA signature for message integrity check Session 2: • Use JCE for message integrity check with HMAC and RSA signature Reference: • Chapter 2.8, 10.3 Things to ensure: • Students understand the security status of hash functions • Students understand the differences between MAC and RSA signature • Students know how to use JCE for integrity check with MAC and RSA signature

Week: 6 Session 1: • Impersonation problem and the need of using certificates • X. 509 certificate format • CRL Course: Security and Trust Page 10

SMU School of Information Systems (SIS)

Session 2: • Email security (S/MIME and PGP) • Signed and/or encrypted email with COMODO certificates in Outlook Reference: • Chapter 2.8, 7.6 Things to ensure: • Understand why and how to use certificates and CRLs • Know how to use Outlook to send signed and/or encrypted emails

Week: 7 Session 1: • quiz Session 2: • weak authentication with passwords • Unix passwords • Windows LM hash and NTLM hash • Password attacks Reference: • Chapter 4.5 Things to ensure: • Understand how passwords are stored in computers

Week: 8 (Recess week: no class) Session 1: • Session 2: • Reference: • Things to ensure: •

Week: 9 Session 1: • Strong authentication (Lamport, challenge response, time synchronization) • NTLMv1 and NTLMv2 Session 2: • Internet security (SSL, firewall, IDS) Reference: • Chapter 4.5, 7.3 Things to ensure: • Understand why strong authentication is securer than weak authentication • Understand how passwords are verified in Windows • Understand the fundamentals of SSL, firewall and IDS • Understand how to protect information systems in banks (case study) • Project draft is due Week: 10 Session 1: Course: Security and Trust Page 11

SMU School of Information Systems (SIS)

• Access control models: DAC, MAC, RBAC Session 2: • Java SecurityManager Reference: • Chapter 4.1-4.4, 5.1-5.3 Things to ensure: • Know how to use java SecurityManager to enforce access control • Assignment 2 covers weeks 9 and 10

Week: 11 Session 1: • Lab exercise for password cracking Session 2: • Lab exercise for using firewall and IDS Reference: • Lab instructions Things to ensure: • Know how to use SAS-SMU Enterprise Intelligence Lab for password cracking, firewall configuration, and intrusion detection • Assignment 2 due and review

Week: 12 (project presentation: teams 1-5) Session 1: • Session 2: • Reference: • Things to ensure: • Invited talk from industry on information security best practice

Week: 13 (project presentation and demo: teams 6-10) Session 1: • Session 2: • Reference: • Things to ensure: • Learning information security trends from each other

Week: 14 (review week: no class) Session 1: • Session 2: • Reference: Course: Security and Trust Page 12

SMU School of Information Systems (SIS)

• Things to ensure: • Project report is due

Week: 15 (exam week: no class) Session 1: • Session 2: • Reference: • Things to ensure: • Final exam

6 List of Information Resources and References
Textbook: Security in Computing (4th edition) by Charles P. Pfleeger and Shari L. Pfleeger, Prentice Hall, 2007 Other reading material and reference websites are available in the course slides

7 Tooling
Tool Open SSL, JCE, CrypTool PPA, IPtable, snort Description Security tools in Windows and Java Password cracking, firewall, and IDS Remarks Hands-on exercises and demo Lab exercises

8 Learning Outcomes, Achievement Methods and Assessment Course-specific core competencies which address the Outcomes Faculty Methods to Assess Outcomes

IS302 - Information Security and Trust
1 Integration of business & technology in a sector context
Course: Security and Trust

Page 13

SMU School of Information Systems (SIS)

Identify the security properties of enterprise information systems Analyze the security tradeoffs to be made in design of enterprise information systems List basic design principles of protecting enterprise information systems Identify major security technologies/components that are most effective for protecting enterprise information systems Explain the future trend of security technologies that will generate significant impact to practice

Execute and grade lab exercises Grade and give feedback to individual assignments Grade and give feedback to group project

1.1 Business IT value linkage skills

YY

Ability to understand & analyze the linkages between: a) Business strategy and business value creation b) Business strategy and information strategy c) Information strategy and technology strategy d) Business strategy and business processes e) Business processes or information strategy or technology strategy and IT solutions 1.2 Cost and benefits analysis skills Ability to understand and analyze: a) Costs and benefits analysis of the project 1.3 Business software solution impact analysis skills Ability to understand and analyze: a) How business software applications impact the enterprise within a particular industry sector.

YY

2

IT architecture, design and development skills 2.1 System requirements
Course: Security and Trust

Y

Perform basic security functions

Grade assignments 1 Page 14

SMU School of Information Systems (SIS)

specification skills

with tools Crytool, openssl and JCE Identify the security requirements for enterprise information systems Design effective and efficient solutions to protect enterprise information systems

and 2 Execute and grade lab exercises Real case studies and invited talks from industry with questions included and graded in the final exam Grade and give feedback to project

Ability to: a) Elicit and understand functional requirements from customer b) Identify non functional requirements (performance, availability, reliability, security, usability etc…) c) Analyze and document business processes 2.2 Software and IT architecture analysis and design skills Ability to: a) Analyze functional and nonfunctional requirements to produce a system architecture that meets those requirements. b) Understand and apply process and methodology in building the application c) Create design models using known design principles (e.g. layering) and from various view points (logical, physical etc…) d) Explain and justify all the design choices and tradeoffs done during the application's development 2.3 Implementation skills Ability to:
Course: Security and Trust

Y

Y Analyze the vulnerability of network in a web application scenario and apply intrusion detection and firewall techniques to eliminate the vulnerability Execute and grade lab exercises

Y

Y

Y

Y

Y Use cryptool, openssl and JCE to design and implement security techniques for network security and access control Execute and grade lab exercises and project

Y

Page 15

SMU School of Information Systems (SIS)

a) Realize coding from design and vice versa b) Learn / practice one programming language c) Integrate different applications (developed application, cots software, legacy application etc…) d) Use tools for testing, integration and deployment

Y Y

Y Understand and know how to use major security building blocks including hash, encryption and decryption, signature, certificates, password authentication, firewall, intrusion detection, and access control Execute and grade lab exercises

2.4 Technology application skills

Y

Ability to: a) Understand, select and use appropriate technology building blocks when developing an enterprise
solution (security, middleware, network, IDE, ERP, CRM, SCM etc…)

Y

3

Project management skills 3.1 Scope management skills Ability to: a) Identify and manage trade-offs on scope/cost/quality/time b) Document and manage changing requirements 3.2 Risks management skills Ability to: a) Identify, prioritize, mitigate and document project’s risks b) Constantly monitor projects risks as part of project monitoring 3.3 Project integration and time management skills Ability to: a) Establish WBS, time & effort estimates, resource allocation, scheduling etc… b) Practice in planning using methods and tools (Microsoft project, Gantt chart etc…)
Course: Security and Trust Page 16

SMU School of Information Systems (SIS)

c) Develop / execute a project plan and maintain it 3.4 Configuration management skills Ability to: a) Understand concepts of configuration mgt and change control 3.5 Quality management skills Ability to: a) Understand the concepts of Quality Assurance and Quality control (Test plan, test cases …) 4 Learning to learn skills 4.1 Search skills Ability to: a) Search for information efficiently and effectively 4.2 Skills for developing a methodology for learning Ability to: a) Develop learning heuristics in order to acquire new knowledge skills (focus on HOW to learn versus WHAT to learn ). b) Abide by appropriate legal, professional and ethical practices for using and citing the intellectual property of others Collaboration (or team) skills: 5.1 Skills to improve the effectiveness of group processes and work products Ability to develop: a) Leadership skills b) Communication skills c) Consensus and conflict resolution skills Change management skills for enterprise systems
Course: Security and Trust Page 17

5

Y

Effectively communicate and resolve conflicts while working in a randomly chosen team

Grade and give feedback to project

6

SMU School of Information Systems (SIS)

6.1 Skills to diagnose business changes Ability to: a) Understand the organizational problem or need for change (e.g. Analyze existing business processes or “as-is process”) 6.2 Skills to implement and sustain business changes Ability to: a) implement the change (e.g. advertise / communicate the need for change etc..) and to sustain the change over time 7 Skills for working across countries, cultures and borders 7.1 Cross-national awareness skills Ability to: a) Develop cross-national understandings of culture, institutions (e.g. law), language etc… 7.2 Business across countries facilitation skills Ability to: a) Communicate across countries b) Adapt negotiation and conflict resolution techniques to a multicultural environment Communication skills 8.1 Presentation skills Ability to: a) Provide an effective and efficient presentation on a specified topic. 8.2 Writing skills Ability to:
Y Write survey report on a new information security topic. Grade and give feedback to project and individual assignments Y Prepare and deliver an effective and efficient presentation on a new information security topic. Grade and give feedback to project

8

Course: Security and Trust

Page 18

SMU School of Information Systems (SIS)

a) Provide documentation understandable by users (Requirements specifications, risks management plan, assumptions, constraints, architecture choices, design choices etc…) Y YY
This sub-skill is covered partially by the course This sub-skill is a main focus for this course

Course: Security and Trust

Page 19

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close