Course Design Document IS302: Information Security and Trust

quarterceladonΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

55 εμφανίσεις











Course Design Document



IS302:
Information
Security and
Trust




Version 4
.
7



17

December

201
2








SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
2


Table of Content





1

Versions History

................................
................................
................................
................................
..

3

2

Overview of Security and Trust Course

................................
................................
............................

4

2.1

Synopsis

................................
................................
................................
................................
........

4

2.2

Prerequisites

................................
................................
................................
................................

4

2.3

Objectives

................................
................................
................................
................................
.....

4

2.4

Basic Modules

................................
................................
................................
..............................

4

2.5

Instructional Staff

................................
................................
................................
........................

5

3

Output and Assessment Summary

................................
................................
................................
....

5

Midterm quiz (15%; problem solving)

................................
................................
................................
......

6

Class participation (10
%)

................................
................................
................................
..........................

6

Project (25%) consists of part A (15%) and part B (10%)

................................
................................
.........

6

Final Exam (40%; close book) in week 15

................................
................................
................................

7

Grades release schedule

................................
................................
................................
.............................

7

4

Group Allocation for Assignments

................................
................................
................................
....

7

5

Classroom Planning

................................
................................
................................
............................

7

5.1

Course Schedule Summary

................................
................................
................................
...........

8

5.2 Lab Exercises

................................
................................
................................
................................
.......

9

5.3 Weekly plan

................................
................................
................................
................................
.........

9

6

List of Information Resources and References

................................
................................
................
13

Textbook:
Security in Computing

(4th edition) by Charles P. Pfleeger and Sh
ari L. Pfleeger,
Prentice Hall, 2007
................................
................................
................................
................................
.
13

7

Tooling

................................
................................
................................
................................
................
13

Tool

13

Des
cription

................................
................................
................................
................................
..............
13

Remarks

................................
................................
................................
................................
..................
13

8

Learning Outcomes, Achievement Methods and Assessment

................................
........................
13





























SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
3


1

Versions

History


Version

Description of
Changes

Author

Date

V 1.0


Yingjiu Li

31
-
12
-
2004

V 2.0



R
evised the design
documents for weeks
7




b慳敤 on
d楳捵ss楯ns w楴h
o慶椠卡pdu 慮d
䅮k楴⁆慤楡



Re
-
designed the
project

Yingjiu Li

03
-
12
-
2005

V 2.1



Re
-
designed the lab
session

Yingjiu Li

26
-
12
-
2005

V 2.2



Revised the pre
-
requisites of the
course, learning
outcomes, and
tooling

Yingjiu Li

07
-
08
-
2006

V 3.0



Revised course
content and schedule



Strengthened hands
-
on exercise

Yingjiu Li

28
-
12
-
2006

V 4.0



Revised course
content and schedule

Yingjiu Li

03
-
12
-
2007

V 4.1



Revised
design
document

in new
format

Yingjiu Li

15
-
02
-
2008

V 4.2



Revised
project
design

Yingjiu Li

24
-
12
-
2008

V 4.3



Revised learning
outcomes

Yingjiu Li

02
-
11
-
2009

V 4.4



Revised de
sign
document in new
format

Yingjiu Li

10
-
06
-
2010

V4.5



Revised project
topics

Yingjiu Li

02
-
01
-
2012

V4.6



Revised project
topics

Yingjiu Li

31
-
10
-
2012

V4.7



Revised project
design and topics

Yingjiu Li

17
-
12
-
2012












SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
4


Background and Basic Concepts (1 week)
Background and Basic Concepts (1 week)
Applied
Cryptography
(4 weeks)
Applied
Cryptography
(4 weeks)
NW Security
(3 weeks)
NW Security
(3 weeks)
Access Control
(1 week)
Access Control
(1 week)
Quiz and project presentation (3 week)
Quiz and project presentation (3 week)







2

Overview of

Security an
d Trust

Course


2.1

Synopsis


Security and Trust course
provides both fundamental principles and technical
skills for analyzing, evaluating, and developing secure systems in practice.
Students will learn essentials about security models, algorithms, protocol
s, and
mechanisms in computer
networks, programs
, and database systems.
Classroom instruction will be integrated with
hands
-
on exercises on security tools
in Windows and Java language
.


2.2

Prerequisites


Students
should understand the basics of computer netw
ork, programming
languages (Java, in particular), and information systems
.



2.3

Objectives


Upon finishing the course, students are expected to:


• Und
erstand basic security concepts,

models
, algorithms and protocols.

• Understand security requirements and
constraints in

some

real world
applications.

• Be able to analyze the current security mechanisms.

• Be aware of the current and

future trends in security applications.




2.4

Basic Modules











SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
5








2.5

Instructional Staff




Professors:
Robert Deng,
Y
ingjiu

Li, Xuhua Ding
, Debin Gao



Instructional staff:
to be updated



Teaching assistant:
to be updated


3

Output and Assessment S
ummary



Week

Date

Output
Assessments

Weighting
in %

Group
Weighting

Remarks

1


10 project groups


Project

25
%

(report 15%,
presentati
o
n 10%)



Final

e
xam

4
0
%


Assignment
s 10%


midterm

quiz
15
%


Class
participatio
n 10
%

Overview

2




Enc to DES

3


Assignment

1

5

Enc to AES

4




RSA, DH

5




Hash,MAC,Sig

6




Cert, PKI

7


Midterm


15

Password

8
(Recess)





9


Review
midterm


Password

II and
internet security

10


Assignment 2

5

AC

11


Lab


password
cracking,
FW,IDS

12


Project
presentation

and
demo

I


Invited talk from
industry

13


Project

P
resentation

and
demo

II

10


14
(Review)


Project
report

15


15


Final e
xam

40


SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
6


Total



90

100%


Midterm

quiz

(
15
%; problem solving
)



1.5 hours

(close
-
book)



Cover the first 6 weeks
.

Class participation

(
10
%
)



Evaluated by
the
lecturers based on students
’ participation

in
classroom
discussions

and grading on hands
-
on and

lab e
xercises


P
roject
(25
%
)




Teaming
:

each team consists of 3 to 4 members
.



References: internet, textbook


Each team chooses a topic from the following list and conducts an o
pen
-
ended
investigation
on the topic
:

1.

Web browser

security


2.

SSL security issues and s
olutions

3.

Privacy leakage and control in o
nline s
ocial networks

4.

Authentication and anonymity
in location based services

5.

Differential

privacy


6.

Android permission models and enforcement


7.

iOS malware and detection

8.

Android malware and detection

9.

Timing based att
estation

10.

Password strength measurements



Grading
:
25%

1.

P
resentation
15%



P
resentation organization

5%



T
echnical description

5%



Q&A 5%

2.

P
roject report

10%



B
readth

5%



Depth 5%



Deliverables
: Each team will write a p
roject report on their findings,

and

deliver an o
ral presentation

in class. The report should

be within 10~15

pages, using 11pt font, single column and single spa
ce fo
rmat. The oral
presentation should be delivered within

20~
2
5

minutes
plus 5
~10

minutes

Q&A.




Requirements
:
In both presentation

and repor
t
, each team should:

a)

Describe the background of

the

related
topic

SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
7


b)

Identify
major issues

(problems, concerns, questions)

in the field

c)

Address the identified issues with technical details

d)

Provide your own comments and analyses

e)

Give illustrative examples and
case studies where appropriate


f)

List all references



The project
outline

within 5 pages
(hardcopy)

is due
in week 9
.
The
presentations

are scheduled

in
weeks

12 and

13
. T
he
final
rep
ort is due

on
Monday

in week 14
.



Final

Exam
(4
0
%; close book)

in week 1
5



Cover a
ll material

taught

in class, including the invited talk and lab



M
ultiple choice questions

and
short answer

questions


Grades release schedule


Ex/
Assignments


before the next class

Midterm


before week 10

Participation


at the end of term

Final e
xam


at the end of term

Group project


at the end of term


4

Group Allocation for Assignments


E
ach class is partitioned into 10

groups
. The students in each group are
randomly selected.



5

Classroom Planning


Teaching session
:
3 hours

Note

Review:
15 minute
s



Solution techniques
: 1 hour
30

minutes



Se捵物瑹⁰牯r汥m猠snd 瑥捨n楱ues



Ana汹獩s

Lea牮楮g

Hands
-
on exercises
: 1 hour



Se瑴楮i猠snd⁳ eps



䑩獣s獳楯s猠

䡡Hds
-


Summary
: 15 minutes

Learning effect


SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
8


5.1

Course Schedule Summary




Wk

Topic

(problem)

Readi
ngs

(textbook)

Classroom:
techniques
(1.5 hours)

Classroom:
hands
-
on

(1.5

hours)

After
-
class
reading

and
exercise

1

Background

Chapter

1
,
7.1

Networking
basics and
security
concepts

Form project
teams

Group
formation

and topic
selection

2

Enc Basics


2
.1
-
2.
4

Enc basics

Open
SSL and
JCE


3

DES
-
AES

2.5
-
2.
6
, 10.2

DES, AES

Open
SSL and
JCE


Assignment 1

Assignmen
t 1

4

RSA

2.7
-
2.8
, 10.3

RSA enc

Review of
assignment 1
,
OpenSSL and
JCE


5

Integrity


2.8
, 10.3

Hash, MAC,
RSA sig

Open SSL

and
JCE


6

Cert, PK
I

2.8
, 7.6

Cert, PKI,
CRL


Open SSL
, email
security,
windows cert mgt


7

Quiz, user
auth

4.5

Midterm

User
authentication
I


8

Recess





9

User auth

4.5
, 7.3

User
authenticatio
n
II and
internet
security

Review of
midterm

Project
draft

due

10

AC


4.1
-
4
.4, 5.1
-
5.3

DAC, MAC,
RBAC



Java
SecurityManager


Assignment
2

Assignmen
t 2


11

Internet Sec


Lab on pwd
cracking

Lab on FW,
IDS
,
and AC

Review of
assignment 2

SAS
-
SMU
Enterprise
Intelligence
Lab

1
2

Proj Pres I


5 groups


Invited talk
SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
9


from
industry

1
3

Proj Pres

II


5

groups



14

Review


Project report
due


Project
report
,
Q&A

15

Final exam





5.2
Lab Exercises


The lab exercises shall be conducted in class, usually during the second half of the time allocated
for the class.

The students shall be pro
vided with a lab document, detailing the activities to be conducted, and
the instructor will guide the students where required.

The results of the labs have to be submitted at the end of class. No later submissions will be
accepted (unless otherwise instru
cted by the professor teaching the respective section).


Week

Lab


Focus

Lab Activity

1

1

Basic security concepts

Email attack in SMTP

2

2

Encryption basics

Openssl, cryptool, and JCE installation and
demo

3

3

DES and AES

DES and AES
with openssl, JCE,
and
cryptool

4

4

RSA

encryption

RSA encryption with openssl, JCE and
cryptool

5

5

Integrity check

Hash, MAC, and RSA signature

6

6

Certification and PKI

Email security with free certificates

7


Password authentication

M
idterm

9


Strong authentication

Review of midterm

1
0

7

Access control

Security manager in JCE

11

8

Internet security

Password cracking, f
irewall and intrusion
detection in SAS lab
.

5
.
3

Weekly plan


Week:

1

Session 1:



Introduction to the course



Basic security concepts

Session 2:



Networking basics

and email attack



Project team formation

Reference:



Chapter 1

and 7.1

Things to ensure:



Course material

is available for download

from the course web site



Students must be assigned into groups for
project



SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
10


Week:

2



Session 1:



Ancient ciphers: Caesar, Vigenere, Zimmermann, columnar transposition



Security analysis of ancient ciphers

Session 2:



Installation of JCE cryptool
and Openssl



Test for
the tools

Reference:



Chapter 2.1
-
2.4

Things to ensure:



Students
understand two basic encryption techniques: substitution and transposition



JCE
, cryptool

and openssl are correctly installed for hands
-
on exercise in the following
weeks



Week:

3


Session 1:



DES: history and details



AES: history and detail
s

Session 2:



Use both Openssl and JCE for DES and AES encryption and decryption

Reference:



Chapter 2.5
-
2.6, 10.2

Things to ensure:



Students know the security status of DES and AES



Students know how to use DES and AES in Openssl and JCE



Week:

4



Session 1:




Asymmetric encryption with RSA

Session 2:



Use Openssl and JCE for generating RSA keys and for
performing
RSA encryption

Reference:



Chapter 2.7
-
2.8, 10.3

Things to ensure:



Students understand the security of RSA encryption



Studen
ts know how to generate RSA keys and use RSA keys in Openssl and JCE



Assignment 1 due and review



Week:

5


Session 1:



Hash functions (MD5 and SHA1)



MAC (HMAC and DES
-
MAC)



RSA signature



Compare MAC with RSA signature for message integrity c
heck

Session 2:



Use JCE for message integrity check with HMAC and RSA signature

Reference:



Chapter 2.8, 10.3

Things to ensure:

SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
11




Students understand the security status of hash functions



Students understand the differences between MAC and RSA signature



S
tudents know how to use JCE for integrity check with MAC and RSA signature



Week:

6


Session 1:



Impersonation problem and the need of using certificates



X. 509 certificate format



CRL

Session 2:



Email security (S/MIME and PGP)



Signed and/
or encrypted email with COMODO certificates in Outlook

Reference:



Chapter 2.8, 7.6

Things to ensure:



Understand why and how to use certificates and CRLs



Know how to use Outlook to send signed and/or encrypted emails



Week:

7


Session 1:



quiz

Session 2:



weak authentication with passwords



Unix passwords



Windows LM hash and NTLM hash



Password attacks

Reference:



Chapter 4.5

Things to ensure:



Understand how passwords are stored in computers



Week:

8


(Recess week: no class)

Session 1:





Session 2:




Reference:




Things to ensure:






Week:

9


Session 1:



Strong authentication (Lamport, challenge response, time synchronization)



NTLMv1 and NTLMv2

Session 2:



Internet security (SSL, firewall, IDS)

Reference:

SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
12




Chapter 4.5
, 7.3

Things to ensure:



Understand why strong authentication is securer than weak authentication



Understand how passwords are verified in Windows



Understand the fundamentals of SSL, firewall and IDS



Understand how to protect information systems in banks

(case study)



Project draft is due


Week:

10


Session 1:



Access control models: DAC, MAC, RBAC

Session 2:



Java SecurityManager

Reference:



Chapter 4.1
-
4.4, 5.1
-
5.3

Things to ensure:



Know how to use java SecurityManager to enforce access
control



Assignment 2 covers weeks 9 and 10



Week:

1
1


Session 1:



Lab exercise for password cracking

Session 2:



Lab exercise for using firewall and

IDS

Reference:



Lab instruction
s

Things to ensure:



Know how to use SAS
-
SMU Enterprise In
telligence Lab for password cracking, firewall
configuration, and intrusion detection



Assignment 2 due and review



Week:

12


(project presentation: teams
1
-
5
)




Session 1:




Session 2:




Reference:




Things to ensure:



Invited talk from indus
try on information security best practice



Week:

13


(project presentation and demo: teams
6
-
10
)


Session 1:




Session 2:




Reference:




Things to ensure:

SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
13




Learning information security trends from each other




Week:

14

(review week: no
class)


Session 1:




Session 2:




Reference:




Things to ensure:



Project report is due




Week:

15

(exam week: no class)


Session 1:




Session 2:




Reference:




Things to ensure:



Final exam

6

List of Information Resources and R
eferences


Textbook:
Security in Computing

(4th

edition) by Charles P. Pfleeger and Shari L.
Pfleeger, Prentice Hall
, 2007


Other reading material
and reference

websites are available in the course slides


7

Tooling



8

Learning Outcomes, Achievement Methods and Assessment



Tool


Description

Remarks

Open SSL, JC
E
,
CrypTool

Security tools in
Windows and Java

Hands
-
on exercises

and
demo

PPA, IPtable, snort

Password cracking,
firewall, and IDS

Lab exercises

SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
14




IS302
-

Information
Security and Trust



Course
-
specific core
competencies which
address the Outcomes

Faculty Methods

to Assess
Outcomes

1

Integration of business &
technology in a sector context







1.1 Business IT value linkage
skills

YY

Identify the security properties
of enterprise information

systems


Analyze the security tradeoffs to
be made in design of enterprise
information systems


List basic design principles of
protecting enterprise
information systems


Identify major security
technologies/components that
are most effective for protecti
ng
enterprise information systems


Explain the future trend of
security technologies that will
generate significant impact to
practice

Execute and grade
lab

exercise
s


Grade
and give feedback
to individual
assignments


Grade
and give feedback
to group
proj
ect





Ability to understand & analyze the

linkages

between:







a) Business strategy and business
value creation







b) Business strategy and
information strategy







c) Information strategy and
technology strategy

YY





d) Business stra
tegy and business
processes







e) Business processes or
information strategy or technology
strategy and IT solutions







1.2 Cost and benefits analysis
skills






Ability to understand and analyze:







a)

Costs and benefits analysis of the

project






1.3 Business software solution
impact analysis skills







Ability to understand and analyze:





SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
15




a) How business software
applications impact the enterprise
within a particular industry sector.













2

IT architecture, design

and
development skills







2.1 System requirements
specification skills

Y

P
erform basic security functions
with tools Crytool, openssl and
JCE


Identify the security
requirements for enterprise
information systems


Design effective and efficient
solut
ions to protect enterprise
information systems

Grade assignments 1
and 2


Exe
cute and grade lab
exercises


Real case studies and
invited talks from
industry

with questions
included and graded in
the final exam



Grade

and give feedback
to

project



Abilit
y to:







a)


Elicit and understand functional
requirements from customer







b)


Identify non functional
requirements (performance,
availability, reliability, security,
usability etc…)

Y





c)


Analyze and document business
processes

Y





2.2 S
oftware and IT architecture
analysis and design skills

Y

Analyze the vulnerability of
network in a web application
scenario and apply intrusion
detection and firewall
techniques to eliminate the
vulnerability

Execute and grade lab
exercise
s



Ability to:







a)


Analyze functional and non
-
functional requirements to produce a
system architecture that meets those
requirements.

Y





b) Understand and apply process and
methodology in building the
application

Y





c)


Create design models using
known de
sign principles (e.g.
layering) and from various view
points (logical, physical etc…)

Y



SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
16




d)


Explain and justify all the design
choices and tradeoffs done during
the application's development

Y





2.3 Implementation skills

Y

Use cryptool, openssl an
d JCE
to design and implement
security techniques for network
security and access control

Execute and grade
lab
exe
rcises and
project



Ability to:







a)


Realize coding from design and
vice versa

Y





b)


Learn / practice one
programming language

Y





c)


Integrate different applications
(developed application, cots
software, legacy application etc…)







d)


Use tools for testing, integration
and deployment

Y





2.4 Technology application skills

Y

Understand and know
how
to
use major secur
ity building
blocks including hash,
encryption and decryption,
signature, certificates, password
authentication, firewall,
intrusion detection, and access
control

Execute and grade
lab
exercises




Ability to:







a)






Understand, select and use
app
ropriate technology building
blocks
when developing an enterprise
solution (security, middleware,
network, IDE, ERP, CRM, SCM etc…)

Y











3

Project management skills







3.1 Scope management skills






Ability to:







a)






Identify and
manage trade
-
offs
on scope/cost/quality/time






b)






Document and manage changing
requirements







3.2 Risks management skills






Ability to:







a)






Identify, prioritize, mitigate and
document project’s risks






b)






Constantl
y monitor projects
risks as part of project monitoring







3.3 Project integration and time
management skills





SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
17




Ability to:







a)






Establish WBS, time & effort
estimates, resource allocation,
scheduling etc…







b)






Practice in plan
ning using
methods and tools

(Microsoft
project, Gantt chart etc…)







c)






Develop / execute a project plan
and maintain it







3.4 Configuration management
skills







Ability to:







a)






Understand concepts of
configuration mgt and ch
ange
control







3.5 Quality management skills







Ability to:







a)


Understand the concepts of
Quality Assurance and Quality
control (Test plan, test cases …)













4

Learning to learn skills







4.1 Search skills






Ability to
:







a) Search for information efficiently
and effectively






4.2 Skills for developing a
methodology for learning






Ability to:







a) Develop learning heuristics in
order to acquire new knowledge
skills (focus on HOW to learn versus
WHAT

to learn ).






b) Abide by appropriate legal,
professional and ethical practices for
using and citing the intellectual
property of others













5

Collaboration (or team) skills:







5.1 Skills to improve the
effectiveness of group processe
s
and work products

Y

Effectively communicate and
resolve conflicts while working
in a randomly chosen team

Grade and give feedback
to project



Ability to develop:







a)


Leadership skills





SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
18




b)


Communication skills







c)


Consensus and conf
lict resolution
skills












6

Change management skills for
enterprise systems







6.1 Skills to diagnose business
changes






Ability to:







a)






Understand the organizational
problem or need for change (e.g.
Analyze existing business
processes
or “as
-
is process”)






6.2 Skills to implement and
sustain business changes







Ability to:







a)






implement the change (e.g.
advertise / communicate the need for
change etc..) and to sustain the
change over time













7

S
kills for working across
countries, cultures and borders







7.1 Cross
-
national awareness
skills







Ability to:







a) Develop cross
-
national
understandings of culture,
institutions (e.g. law), language
etc…







7.2 Business across countrie
s
facilitation skills







Ability to:







a)


Communicate across countries







b)



Adapt negotiation and conflict
resolution techniques to a
multicultural environment













8

Communication skills







8.1 Presentation skills

Y

Prepare
and deliver an effective
and efficient presentation on
a
new information security topic
.

Grade and give feedback
to project



Ability to:





SMU School of Information Systems (SIS)



Course: Security and T
rust

Page
19




a)


Provide an effective and efficient
presentation on a specified topic.






8.2 Writing skills

Y

Write
s
urvey report on a new
information security topic
.

Grade and give feedback
to project and individual
assignments



Ability to:







a)


Provide documentation
understandable by users
(Requirements specifications, risks
management plan, assumptions,
constr
aints, architecture choices,
design choices etc…)









Y


This sub
-
skill is covered partially by the
course




YY

This sub
-
skill is a main focus for this
course