Правительство Российской Федерации
Федеральное государственное автономное образовательное
учреждение высшего профессионального образования
«Национальный исследовательский университет
«Высшая школа экономики»
Факультет Бизнес Информатика
Отделение Программная Инженерия
Программа дисциплины
«Организация и технологии защиты информации»
для направления 231000.68 - «Программная инженерия»
подготовки магистра
для магистерской программы "Системная и программная инженерия"
Автор программы:
Савельева А.А , к.т.н., доцент, asavelieva@hse.ru
Одобрена на заседании кафедры управления разработкой программного обеспечения
«___»____________ 2012 г
Зав. кафедрой С.М. Авдошин
Рекомендована секцией УМС факультета бизнес информатики
«___»____________ 2012 г
Председатель Ю.В. Таратухина
Москва, 2012
Настоящая программа не может быть использована другими подразделениями
университета и другими вузами без разрешения кафедры-разработчика программы.
Course Information
Specification Author:
Alexandra Savelieva, Associate Professor, PhD (Science and Technology Studies:
Information Security)
Subject Title in English:
Organizational and Technical Security Aspects
1. Application Guidelines and Regulations
This specification presents a detailed description of the educational purpose, curriculum, and
assessment methods for the discipline “Organizational and Technical Security Aspects”. This
course is delivered to master students of software engineering department, business
informatics faculty, HSE. The specification was developed in accordance with the following
standards and regulatory documents:



Master curriculum of MSc educational programme 231000.68 “Software
Engineering”, specialization “Software development management”. - Moscow, HSE,
2010.
Curriculum of 1st year MSc educational programme 231000.68 “Software
Engineering”, specialization “Software development management”. - Moscow, HSE,
2010.
Federal state educational standard of higher education in software engineering
(Master degree) approved by Order of the RF Ministry of Education and Science of 9
November 2009 N543 (in Russian).
The specification is intended to be used as a source of information by:



students and potential students;
lecturers delivering lectures and conducting practical classes on the course or related
disciplines;
professional and statutory regulatory bodies when carrying out accreditation.
2. Course Objective
Information security and privacy have become core concepts in software engineering
education. One of the inherent skills in information systems engineering and support is the
ability to ensure appropriate level of information security.
The objective of the Organizational and Technical Security Aspects course is to develop
professional competencies, related to applying best practices of information security and
assurance to real world situations.
Today the demand is growing for information security experts capable of analyzing problems
and making decisions in business situations that involve risk or uncertainty. These skills can
be acquired through systematic studying of various information security incidents. The
curriculum is built so that the students immediately learn to use theoretical knowledge in
practice by studying various security incidents (e.g. Rocky Mountain Bank v. Google Inc.
and Anonymous v. HBGary), identifying mistakes of people involved in the stories, and
proposing problem solutions.
2
3. Learning Outcomes
During the course, the students will:









Study the basic terms, definitions and principles of information security and
assurance;
Study state-of-the-art technologies and products for information protection;
Study the legislative base and regulatory documents in the area of information
protection;
Master methods and tools for classification of main vulnerabilities and attacks on
information assets within automated systems;
Master methods and tools for the development and implementation of information
security policies;
Master models of information security systems evaluation from economical and
technical perspectives, assuming roles of the end user, software engineer, senior
architect, CFO, and company chairman;
Acquire practical skills in information analysis and identification of hidden
connections between facts;
Acquire practical skills in information attack prevention and confrontation by means
of organizational measures and technical solutions;
Acquire practical skills in real-world decision making and problems solving.
The course contributes to the development of the following professional competencies [3]:
1. Research activities
 The ability to manage both self-paced and team work on research projects (ПК-3).
2. Project activities
 The ability to approach projects in a systematic way, to build and apply descriptive
and forecasting models, to conduct qualitative and quantitative analysis (ПК-6);
3. Technical activities
 The ability to apply state-of-the-art development technologies for the development of
complex software systems, to take the advantage of automated job scheduling and
control tools, and to make use of quality assurance techniques (ПК-9).
4. Discipline in the Educational Program
Curriculum:
The course length is 144 academic hours, including 22 hours of lectures, 34 hours of practice,
and 88 hours of self-study. Academic control forms are one home assignment and one test. It
is a part of specialized curricula unit, and it is delivered in modules 1-2 of the second
academic year. Number of credits is 4.
Prerequisites:
The course is based on the knowledge of foundations of general technical disciplines,
mathematics, computer science and fundamentals of the decision theory.
3
5. Subject Structure and Contents
Audience Hours
No.
Course hours,
Total
Topic name
Self-study
Lectures
Practical
studies
12
2
2
8
18
2
4
6
Module 1
1.
2.
Introduction to the course.
Foundations of information security
Trust in the digital society. State-of-theart technologies as a major information
security threat. The problem of ‘digital
shadow’
3.
PII protection in practice: regulations in
Russia and worldwide
18
2
4
12
4.
Classification of security threats. SDL
methodology. Information security risk
management standards and tools
12
2
2
8
5.
Attack lifecycle. Types of information
attacks. DDoS, bot nets, and spam.
Detection and prevention of attacks.
12
2
4
6
Module 2
6.
Securing the perimeter of an
organization. Firewalls, antiviruses, DLP
systems. Information security audit
18
2
4
12
7.
Cryptographic methods and tools. Digital
signatures. PKI infrastructure. Modern
cryptanalysis techniques
12
2
4
6
12
2
4
6
12
4
2
12
18
2
4
12
144
22
34
88
8.
9.
10.
Steganography. Digital watermarking.
Applications for copyright protection,
authenticity assurance and fraud
prevention
Human factor in security. Social
engineering. Organizational measures for
information protection. Corporate
security policy
Hackers subculture: evolution,
motivation, purposes, and targets.
Anonymous group
Total:
6. Grading and Assessment
Type
Form
Progress
check
Written test
Homework
assignment
Written exam
Final check
1
*
*
2 year
2
3
Notes
4
45 minutes
Case study development
*
90 minutes – case study analysis
4
6.1. Evaluation criteria
Written test
Students get a written test with 45 minutes to complete. The test contains Yes-No questions,
single-choice and multiple-choice questions, as well as open-ended questions. Students are
scored based on the number of questions they answered correctly, and the weight of each
question in the overall result (varies from 1 for single-choice and Yes-No questions, to 10 for
open-ended questions). Evaluation formula is 10*(score_achieved/maximum_score). A
maximum score of 10 can be achieved.
Homework assignment
Homework is in the form of case study development and analysis. The students select by the
student based on their interests. Once approval of the topic is obtained from course instructor, the
student writes the case study based on the information from public sources, personal experience
and imagination. Evaluation criteria for student’s homework assignment are presented in the
table below. A maximum score of 10 can be achieved.
•
•
•
•
•
•
•
Development of case study
Relevancy of information
Real-life story basis
Structure of text
Sufficiency of selected material
Freshness of ideas
Accuracy of problem statement
Author’s contribution and analytical
processing of information from public
sources
•
•
•
•
•
•
Analysis of case study
Demonstration of good command of
theoretical knowledge
Ability to identify both common and
specific problems
Exploring various solutions
Openness to different perspectives
Being persuasive in argumentation
Application of risk management
principles and decision making methods
Written exam
Final exam is in the form of case study analysis. Cases are selected and assigned at random by
the course instructor. Evaluation criteria for student’s homework assignment are presented in the
table above. A maximum score of 10 can be achieved.
Penalties
Should plagiarism be identified in the student’s homework, disciplinary measures are applied as
appropriate per the HSE Charter.
Should the student fail to present homework before the end of the 1st module, but submit it at
any point during the 2nd module until the week of interim exams starts, a reduction of the scores
for the assignment by 30% is applied. In this case, a maximum score of 7 for the homework
assignment can be achieved.
6.2. Overall Score
Overall score on the course Ofinal is determined using the following formula:
Ofinal = (Ohome<4||Oexam<4)? min (Ohome, Oexam):
0,25*Otest+0,5*Ohome+0,25Oexam
where
- Otest - score achieved by the student for the written test;
- Ohome- score achieved by the student for the homework assignment;
- Oexam - score achieved by the student for the written exam.
5
Should the student fail to either pass the written exam or submit the case before the end of the
course, overall score for the next attempts is determined using the following formula:
Ofinal = (Ohome<4||Oexam<4)? min (Ohome, Oexam):
0,8*(0,25*Otest+0,5*Ohome+0,25Oexam)
A score of 4 or higher means successful completion of the course (‘pass’). A score of 3 or lower
means failure to complete the course (‘fail’).
7. Detailed Curriculum Plan
Topic 1: Introduction to the course. Foundations of information security
Topic outline:






Why study information security?
Course agenda
Terms, definitions and principles of information security and assurance
CIA Triad vs. Parkerian Hexad
Framework for case study analysis
Case study: Bank employee’s epic failure
Main references/books/reading:



Parker, D. B.: Fighting Computer Crime. New York, NY: John Wiley & Sons (1998)
Parker, D. B.: Toward a New Framework for Information Security. In Bosworth,
Seymour; Kabay, M. E., Whyne, Eric, The Computer Security Handbook (5th ed.). New
York, NY: John Wiley & Sons (2009)
Avdoshin S., Savelieva A.: A Framework for Analysis of Case Studies in Information
Security. In: Proceedings of CEE-SECR’2012 (to appear)
Additional references/books/reading:

Schneier, B.: Beyond Fear. Thinking Sensibly about Security in an Uncertain World.
Copernicus Books (2003)
Topic 2: Trust in the digital society. State-of-the-art technologies as a major information
security threat. The problem of ‘digital shadow’
Topic outline:
 Technology in societal context: RFID, GPS, smartphones, social networks, cloud
services, and search engines
 Nothing lost on the Web: the problem of digital shadow
 Towards a trustworthy information society
 Privacy, anonymity and accountability
 Case study: Living in the future Information Society
Main references/books/reading:
 Holtzman, D.H. Privacy Lost: How Technology Is Endangering Your Privacy. JosseyBass; 1 edition (October 13, 2006)
6
 Trust in the Information Society // A Report of the Advisory Board RISEPTIS, 2008.
URL: http://www.think-trust.eu/general/news-events/riseptis-report.html
 Cameron, K. Posch, R. and Rannenberg, K. Proposal for a Common Identity Framework:
A user-centric Identity Metasystem www.identityblog.com
 Shadbolt, N and Berners-Lee, T. Web Science emerges, Scientific American, Oct 2008,
Pp. 32-37
 Berners-Lee, T. Hall, W. Hendler, J. O’Hara, K. Shadbolt, N. and Weitzner, D. A
Framework for Web Science, Foundations and Trends in Web Science, 1(1), 2006,
Pp. 1-130
Additional references/books/reading:
 ISS Report 05, Feb 2009: The European Security Strategy 2003-2008 – Building on
Common Interests
 Hardin, R. Trust & Trustworthiness, Russell Sage Foundation, New York 2002
 O’Hara, K. Trust: From Socrates to Spin, Icon Books, Cambridge 2004
 Lacohee, H. Crane, S. and Phippen, A. Trustguide: Final report – www.trustguide.org.uk
 Rannenberg, K. Royer, D. and Deuker, A The Future of Identity in the Information
Society, Springer 2009
 OECD “At a Crossroads: Personhood and Digital Identity in the Information Society”,
http://www.oecd.org/dataoecd/31/6/40204773.doc
 Cavoukian, A. and Hamilton, T. Privacy Payoff, McGraw-Hill 2002 and Cavoukian, A.
Privacy by Design, IPC Ontario 2009 www.ipc.on.ca
 Habermas, J. The structural transformations of the public sphere, Cambridge, 1962 (trans
1989)
 O’Hara, K and Shadbolt, N. The spy in the coffee machine – The end of privacy as we
know it, Oneworld Oxford, 2008.
 Weitzner, D. Abelson, H. Berners Lee, T. Feigenbaum, J. Hendler and Sussman, J.
Information Accountability, 2008
 Hildebrandt, M and Koops, B-J (eds) A vision of Ambient Law, (2007) available at
www.fidis.net
 Rannenberg, K. Royer, D. and Deuker, A The Future of Identity in the Information
Society, Springer 2009
Topic 3: PII protection in practice: regulations in Russia and worldwide
Topic outline:











Terminology and definitions
Individuals: Paradox of Generation Y
Software certification
Outsourcing issues
Manual data processing
Banking Industry: Contradictions and Workarounds
IT Industry: Challenges and Opportunities
Business: Obligations and Threats
Federal Law of the Russian Federation on Personal Data and international security
agreements
Data fusion
Case study: The Harrowing Hack That Erased a Writers Identity
7
Main references/books/reading:
 Holtzman, D.H. Privacy Lost: How Technology Is Endangering Your Privacy. JosseyBass; 1 edition (October 13, 2006)
 Savelieva, A., Avdoshin, S.: Personal Data Protection in Russia: Trends of the Last
Decade. In: Proceedings of “2010 Workshop on Cyber Security and Global Affairs &
Security Confabulation IV”, Zurich, 2010.
Additional references/books/reading:
 ISS Report 05, Feb 2009: The European Security Strategy 2003-2008 – Building on
Common Interests
 Proposal for a Regulatory framework for Electronic communication networks and
services
Topic 4: Classification of security threats. SDL methodology. Information security risk
management standards and tools
Topic outline:












Threat and risk: definitions, attributes, formalizations
Security thread modeling
Advanced persistent threat (APT)
Microsoft best practices: SDL methodology
Code review using static analysis tools
Architectural risk analysis
Penetration testing
Security testing
STRIDE classification
ISO/IEC 27001:2005
Information security risk management standards and tools: CRAMM, RiskWatch, GRIF
Case study: A Software Bug Causing Panic at Tokyo Stock Exchange
Main references/books/reading:
 Howard, M., Lipner, S.: The Security Development Lifecycle: SDL: A Process for
Developing Demonstrably More Secure Software. Microsoft Press, pp.304 (2006)
 McGraw, G.: Software Security: Building Security In. Addison-Wesley, February 2006.
 Tamai, T.: Social Impact of Information System Failures // Computer, IEEE, vol. 42, no.
6, pp. 58-65, 2009
Additional references/books/reading:
 Schneier, B.: Modeling security threats // Dr. Dobb’s Journal, December, 1999.
 CRAMM V Official website // Siemens Enterprise Communications Limited 2006.
Available at: www.cramm.com
 Digital Security: GRIF //Available: http://www.dsec.ru/products/grif/
 RiskWatch Official website // RiskWatch, Inc. Available at: http://www.riskwatch.com/
 Savelieva, A.: Modeling Security Threats to Cryptographically Protected Data. In
Proceedings of the Third Spring Young Researchers’ Colloquium on Software
Engineering (SYRCoSE 2009). May 28-29, 2009. – Moscow, Russia, Pp. 56 – 60.
 ISO/IEC TR 18044:2004, Information technology. Security techniques. Information
security incident management
8
 Information technology. Security techniques. Information security management systems
Requirements, ISO/IEC 27001:2005 (2005)
 C. Gliedman,“Managing IT Risk with Portfolio Management Thinking,” CIO (Analyst
Corner), http://www.cio.com/analyst/012502_giga.html.
Topic 5: Attack lifecycle. Types of information attacks. Detection and prevention of
attacks.
Topic outline:







What is an information security attack
Classification of attacks
0day attack
4 stages of information attack lifecycle: Reconnaissance, penetration, information
damage, and proliferation
Examples of attacks: DDoS, bot nets, and spam
Intrusion detection and prevention systems
Case study: Anonymous hacktivist targeting a famous security company
Main references/books/reading:


V.A. Serdiouk, Organizational and Technical Aspects of Information Security. HSE
Publishing, Moscow (2011), - 576 p. – In Russian
Avdoshin S., Savelieva A.: A Framework for Analysis of Case Studies in Information
Security. In: Proceedings of CEE-SECR’2012 (to appear)
Additional references/books/reading:
 Howard, M., Lipner, S.: The Security Development Lifecycle: SDL: A Process for
Developing Demonstrably More Secure Software. Microsoft Press, pp.304 (2006)
 Lindqvist U., Jonsson E. How to systematically classify computer security intrusions. //
IEEE Symposium on Security and Privacy, p. 154–163, Los Alamitos, CA, 1997.
 Weber D. J. A taxonomy of computer intrusions. Master’s thesis, Department of
Electrical Engineering and Computer Science, Massachusetts Institute of Technology,
June 1998.
 Paulauskas N., Garsva E.. Computer System Attack Classification // Electronics and
Electrical Engineering 2006. nr. 2(66)
 M. Howard, J. Pincus, and J.Wing, “Measuring Relative Attack Surfaces,” 2003,
http://www.cs.cmu.edu/~wing/publications/Howard-Wing03.pdf.
 Manadhata and Wing, “Measuring a System’s Attack Surface,” 2004, http://reportsarchive.adm.cs.cmu.edu/anon/2004/CMU-CS-04-102.pdf .
Topic 6: Securing the perimeter of an organization. Firewalls, antiviruses, DLP systems. .
Information security audit
Topic outline:




Technical measures for information security protection of an organization: Firewalls,
antiviruses, DLP systems
Remote desktop protection
Guidelines for information security audit
Standard ISO 27002 (17799)
9




Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
COBIT framework
Measuring information security
Case study: Security tokens crack affecting major corporations
Main references/books/reading:





V.A. Serdiouk, Organizational and Technical Aspects of Information Security. HSE
Publishing, Moscow (2011), - 576 p. – In Russian
McGraw, G.: Software Security: Building Security In. Addison-Wesley, February 2006.
ISO/IEC: ISO/IEC 17799, “Code of Practice for Information Security Management,”
2000.
C.Villarrubia, E. Fernandez-Medina, and M. Piattini, “Analysis of ISO/IEC 17799:2000
to be used in Security Metrics,” Security and Management, pp.109–117, 2004.
Heimerl, J.L., Voight, H.: Measurement: The Foundation of Security Program Design and
Management // Computer Security Journal, 2005.
Topic 7: Cryptographic methods and tools. Digital signatures. PKI infrastructure. Modern
cryptanalysis techniques
Topic outline:













The history of cryptography
Shannon’s fundamental principles and Kerckhoffs's Desiderata
Symmetric primitives and their application
Private-key cryptosystems: GOST, DES, DESX, 3DES, AES
Block cipher-based hash functions and stream ciphers
Hard problems of number theory: factorization and discrete logarithm computation
Public-key cryptosystems: RSA, Diffie-Hellman key exchange
Practical applications: cryptographic protocols, digital signatures
PKI infrastructure
Cryptanalysis: linear, differential
The Future: Quantum cryptography and cryptanalysis
Software libraries and tools for doing crypto: Cryptool, NTL, etc.
Case study: Recruiting giant under attack
Main references/books/reading:







Oppliger R. Contemporary Cryptography. Artech House Publishers, 2005, 510 p.
Brassard J. Modern Cryptology. Springer-Verlag, Berlin - Heidelberg, 1988. - 107 p.
Decrypted Secrets: Methods and Maxims of Cryptology: FL Bauer: Springer-Verlag
Telos; 2nd Rev&Ex edition (February 2000), 470 p.
Avdoshin S.M., Savelieva A.A. Cryptanalysis: current state and future trends//
Information technologies. Moscow, ‘Novye technologii’, in Appendix to № 3, 2007,
35 p. (in Russian).
Avdoshin S.M., Savelieva A.A. Tools for asymmetric ciphers analysis: Industrial
registration certificate No. 10193 dated 18.03.2008 (in Russian).
Library for doing Number Theory. Available at: http://www.shoup.net/ntl/ 06.02.2007
Lenstra Jr. H. W. Factoring integers with elliptic curves // Annals of Mathematics (2) 126
(1987), 649-673.
10






Rabin M.O. Probabilistic algorithm for testing primality // Journal of Number Theory 12
(1980), no. 1, pp. 128–138.
Miller G.L. Riemann's Hypothesis and Tests for Primality // Journal of Computer and
System Sciences 13 (1976), no. 3, pp. 300–317.
Gordon M.D. Discrete logarithms in GF(p) using number field sieve //SIAM Journal on
Discrete Mathematics 6, no.1, 1993, pp/ 124-138.
Coppersmith D., Odlyzko A., Schroeppel R. Discrete logarithms in GF(p) //
Algorithmica. 1986. V. 1. - P. 1—15.
Avdoshin S.M., Savelieva A.A. Algorithm for solving linear systems over residue rings //
Information technologies. Moscow, Novye technologii’’, 2006. № 2.- p.50-54 (in
Russian).
Schneier B. Applied Cryptography Second Edition: protocols, algorithms and source
code in C. John Wiley & Sons Inc., 1996.
Additional references/books/reading:









Kerckhoffs A. La cryptographie militaire // Journal des sciences militaires, vol. IX. P. 538, Jan. 1883, (P. 161-191, Feb. 1883).
Waerden B. L. Algebra. Vol. 1, Springer-Verlag, Berlin, 1991.
Savelieva A. Formal methods and tools for evaluating cryptographic systems security //
St. Petersburg, ISP RAS, In Proceedings of the Second Spring Young Researchers
Colloquium on Software Engineering (SYRCoSE’2008), 2008, Vol 1. P. 33-36.
Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for Preimages: Attacks on
Skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE'12. LNCS, vol. 7549, pp.
244-263. Springer, Heidelberg (2012).
Hriţcu C., Goriac I., Gordân R. M., Erbiceanu E. MpNT: Designing a Multiprecision
Number Theory Library. Faculty of Computer Science, “Alexandru Ioan Cuza”
University, Iasi, 2003.
CLN. Available at: http://www.ginac.de/CLN/
Boreale M., De Incola R., Pugliese R. Proof techniques for cryptographic processes.
SIAM J. Comput., 31(3), 2002. Pp. 947-986.
Zhou Y., Feng D. Side-Channel Attacks: Ten Years After Its Publication and the Impacts
on Cryptographic Module Security Testing // Physical Security Testing Workshop
(Hawaii, September 26-29, 2005. Available at: http://eprint.iacr.org/2005/388.pdf
Rivest R.L., Shamir A., Adleman L.M. A Method for Obtaining Digital Signatures and
Public Key Cryptosystems// Communications of the ACM, v. 21, n. 2, February 1978. P.
120-126.
Topic 8: Steganography. Digital watermarking. Applications for copyright protection,
authenticity assurance and fraud prevention
Topic outline:







Digital Watermarking for Protection of Intellectual Property
Perceptual Data Hiding in Still Images
Audio Watermarking: Properties, Techniques and Evaluation
Design Principles for Active Audio and Video Fingerprinting
Issues on Image Authentication
Digital Signature-Based Image Authentication Data Hiding in Document Images
Case study: Steganography in crime investigation
11
Main references/books/reading:





Chun-Shien Lu: Multimedia Security: Steganography and Digital Watermarking
Techniques for Protection of Intellectual Property. IGI Publishing, 2004.
Eggers, J., Su, J., & Girod, B.: Robustness of a blind image watermarking scheme.
International Conference on Image Processing Proceedings, ICIP 2000, vol. 3 (2000).
Ejim, M., & Miyazaki, A.: A wavelet-based watermarking for digital images and video.
International Conference on Image Processing, ICIP 00, vol. 3. (2000).
Goutte, R., & Baskurt, A.: On a new approach of insertion of confidential digital
signature into images. Proceedings of Fourth International Conference on Signal
Processing, ICSP 98, vol. 2, pp. 1170-1173 (1998).
Cox, I., Miller, M., & Bloom, J. Digital watermarking, San Diego, CA: Academic Press.
(2002).
Additional references/books/reading:






Barni, M., Bartolini, F., Cappellini, V., & Piva, A. Robust watermarking of still images
for copyright protection. 13th International Conference on Digital Signal Processing
Proceedings, DSP 97, vol. 1. (1997)
Baudry, S., Nguyen, P., & Maitre, H. Channel coding in video watermarking: Use of soft
decoding to improve the watermark retrieval. International Conference on Image
Processing Proceedings, ICIP 2000, vol. 3 (2000)
Bors, A., & Pitas, I.. Image watermarking using DCT domain constraints. International
Conference on Image Processing Proceedings, ICIP 96, pp. 231-234 (1996)
Bruyndonckx, O., Quisquater, J.-J., & Macq, B. Spatial method for copyright labeling of
digital images. Proceeding of IEEE Nonlinear Signal Processing Workshop, pp. 456-459.
(1995).
Busch, C., & Wolthusen, S. Digital watermarking from concepts to real-time video
applications. IEEE Computer Graphics and Applications, 25-35. (1999)
Chae, J., Mukherjee, D., & Manjunath, B. A robust embedded data from wavelet
coefficients. Proceeding of SPIE, Electronic Imaging, Storage and Retrieval for Image
and Video Database, 3312, pp. 308-317. (1998).
Topic 9: Human factor in security. Social engineering. Organizational measures for
information protection. Corporate security policy
Topic outline:







Human role in information protection
Types and motivation of adversaries
Methods and tools of social engineering
Insider threat
Organizational measures for information protection
Guidelines and templates for corporate security policy development
Case study: Accidental posting of information intended for internal use
Main references/books/reading:

Savelieva, A.: Formal methods and tools for evaluating cryptographic systems security.
In: Proceedings of the Second Spring Young Researchers’ Colloquium on Software
Engineering (SYRCoSE’2008), St. Petersburg, ISP RAS, 2008, Vol 1. Pp. 33-36.
12

Schneier, B.: Beyond Fear. Thinking Sensibly about Security in an Uncertain World.
Copernicus Books (2003)
Additional references/books/reading:

V.A. Serdiouk, Organizational and Technical Aspects of Information Security. HSE
Publishing, Moscow (2011), - 576 p. – In Russian
Topic 10: Hackers subculture: evolution, motivation, purposes, and targets. Anonymous
group
Topic outline:





Hacker’s types, ethics and motivation
Evolution overtime: how the development of the Internet affected the subculture
The importance of understanding your enemy
Computer crimes
Case study: Vandalism on the Internet: court website defaced in support of a punk band
Main references/books/reading:

Schneier, B.: Beyond Fear. Thinking Sensibly about Security in an Uncertain World.
Copernicus Books (2003)
Additional references/books/reading:

Hartel, P.H., Junger, M.: Teaching Information Security students to ”Think thief”.
Technical Report TR-CTIT-12-19, Centre for Telematics and Information Technology,
University of Twente, Enschede. ISSN 1381-3625 (2012)
8. Educational Methods and Technologies
Case studies are stories with educational message [4]. Case study method was introduced in the
beginning of 20th century in Harvard Business School primarily for development of analytical
and problem-solving skills among training lawyers and managers. The case study method used at
practical classes:
 makes the learning process interactive and entertaining;
 contributes to the development of analytical skills;
 encourages active use of theoretical knowledge;
 allows for students to feel at real-world situation;
 is adaptive to students level and background;
 admits both teamwork and independent work;
 imposes minimal requirements to laboratory equipment.

Educational institutions in the US and Europe are actively working on adopting this innovation
into the educational practice of teaching information security and assurance (see [5, 6]). Case
study analysis was enlisted in [7] among the skills that students at both undergraduate and
graduate levels should embrace as a security professional.
In this course we use a framework of methods, tools and taxonomies for analysis of case studies
in information security field [8]. This framework allows students to study every situation in a
formal rather than ad-hoc way, and apply a wide range of threat modeling, risk analysis and
project management techniques in close to real life conditions.
13
8.1.
Recommendations for course instructors
A big problem that an educator faces when using case studies for teaching practical information
security in higher school is the lack of ready-made materials available for free use, apart from
”product success story” case studies presented on web sites of a few companies for
advertisement purposes. We have addressed this problem by showing how to build a fascinating
and relevant story from scratch without much efforts from the teacher, but with high benefit to
the audience:
 Savelieva A. How to design case studies and use them in information security seminar
classes (with samples) // Software Engineering Department, HSE, 2011. (under a grant
from the Foundation for Educational Innovations)
The sources [4-8] enlisted in the Reference section might also be helpful to the instructor.
8.2.
Educational guidelines for students
Students will benefit from reading the sources listed in Section 8.1.
9. Assessment Methods
Written test
The written test is a computer testing assessment based on the topics covered in the course (see
Section 5 for the list of topics).
Written Exam
Student is assigned a case study related to one of the course topics.
Typical tasks to complete are as follows:
1. Identify information security events E
2. Sort E in chronological order
3. Depict the flow of events E by means of Event Chain Diagram
4. For each event in E
a) Identify affected information assets I
b) For each information asset in I
i. Identify information security property violation threats T
ii. For each threat in T
A. Specify affected information security property
B. Evaluate the risk (probability and impact)
C. Propose methods and best practices for risk mitigation
Case study example:
“A customer of the Rocky Mountain Bank asked a bank employee to send certain loan
statements to a representative of the customer. The employee, however, inadvertently sent the email to the wrong Gmail address. Additionally, the employee had attached a sensitive file to the
e-mail that should not have been sent at all.
The attachment contained confidential information on 1,325 individual and business customers
that included their names, addresses, tax identification or Social Security numbers and loan
information.
After realizing what he’d done, the employee “tried to recall the e-mail without success.”
14
When that didn’t work, the employee sent a second e-mail to the recipient instructing the person
to delete the e-mail and attachment “in its entirety” without opening or reviewing it. The
employee also asked the recipient to contact the employee to “discuss his or her actions.”
Silence ensued. That’s when the bank sued Google to identify the recalcitrant recipient.
Google said it wouldn’t comply without a court order, and even if it does receive a court order,
its policy is to notify an account holder and give the person a chance to object to the disclosure
of his or her identity. The court is considering the bank’s request.
In the meantime, Rocky Mountain Bank filed a motion to seal the entire case until the court
decides whether to force Google to reveal the recipient’s name, saying it didn’t want its
customers to learn about the breach, because it would create panic and result in a surge of
inquiries from customers. It wants the information under seal until it can determine from Google
whether the Gmail account in question is active or dormant, and whether the sensitive customer
information is actually at risk of being abused.
A federal judge in San Jose, California denied the bank’s request to seal.”
(Source: Zetter, K.: Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google. At:
http://www.wired.com/threatlevel/2009/09/bank-sues-google/ )
10. Learning Resources






10.1. Course reader and main book(s)
V.A. Serdiouk, Organizational and Technical Aspects of Information Security.
HSE Publishing, Moscow, - 576 p. (2011) – In Russian
Howard M., Lipner S. The Security Development Lifecycle. SDL: A Process for
Developing Demonstrably More Secure Software. Microsoft Press, - 304 p. (2006)
Holtzman, D.H.: Privacy Lost: How Technology Is Endangering Your Privacy. JosseyBass; 1 edition (2006)
10.2. Main literature
Schneier, B.: Applied Cryptography Second Edition: protocols, algorithms and source
code in C. John Wiley & Sons Inc., (1996)
Jones, B. F., & Idol, L.. Conclusions. In B. F. Jones & L. Idol (Eds.), Dimensions of
thinking and cognitive instruction (pp. 511-532). Hillsdale, NJ: Lawrence Erlbaum
Associates, Inc. (1990)
McGraw, G.: Software Security: Building Security In. Addison-Wesley (2006).
10.3. Additional literature
 Bob Blakley, Ellen McDermott, Dan Geer. Information security is information risk
management // NSPW '01 Proceedings of the 2001 workshop on New security paradigms,
ACM (2001)
 Shneier B. Snake Oil, Crypto-Gram // February, 1999. Available at:
http://www.counterpane.com/Crypto-Gram.html 22.01.2008
 Berners-Lee, T. Hall, W. Hendler, J. O’Hara, K. Shadbolt, N. and Weitzner, D. A
Framework for Web Science, Foundations and Trends in Web Science, 1(1), Pp. 1-130
(2006)



10.4. Reference books, dictionaries, encyclopedias
ISO/IEC TR 18044:2004, Information technology. Security techniques. Information
security incident management
ISO/IEC 27005:2008 Information technology - Security techniques - Information security
risk management.
ISO/IEC: ISO/IEC 17799, “Code of Practice for Information Security Management,” 2000.
15







10.5. Internet and intranet references for remote support of the discipline
Savelieva A."00545 Information security learning based on case studies: from practice to
theory ". LMS, HSE, 2012 (in Russian).
Avdoshin S.M., Savelieva A.A., Serdiouk V.A. Microsoft technologies and products for
information
protection
//
Microsoft
Faculty
Resource
Center,
2010,
https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=8476&Login=
Avdoshin S.M., Savelieva A.A., Serdiouk V.A. Microsoft technologies and products for
information protection // INTUIT, 2010, http://www.intuit.ru/department/security/mssec/
10.6. Required software:
Microsoft Office Professional 2007-2010
Microsoft Visual Studio 2008-2010
Internet browser with video plug-ins
Cryptool 2.0
11. Special Equipment
Practical studies are conducted in a computerized laboratory equipped with an overhead
projector and audio portables. Every student has a PC with high speed internet connection and
access to the HSE electronic library.
References
1. Master curriculum of MSc educational programme 231000.68 “Software Engineering”,
specialization “Software development management”. - Moscow, HSE, 2010.
2. Curriculum of 1st year MSc educational programme 231000.68 “Software Engineering”,
specialization “Software development management”. - Moscow, HSE, 2010.
3. Federal state educational standard of higher education in software engineering (Master
degree) approved by Order of the RF Ministry of Education and Science of 9 November
2009 N543 (in Russian).
4. Herreid, C.F. (ed): Start With a Story: The Case Study Method of Teaching Science.
National Science Teachers Association, Arlington, VA. pp. 466 (2007)
5. Workshop on Teaching Information Assurance through Case Studies and Handson
Experiences. http://teaching-ia.appspot.com/
6. Hartel, P.H., Junger, M.: Teaching Information Security students to ”Think thief”. Technical
Report TR-CTIT-12-19, Centre for Telematics and Information Technology, University of
Twente, Enschede. (2012)
7. Logan, P., Christofero, T.: Giving Failure a Place in Information Security: Teaching Students
to Use the Post-Mortem as a Way to Improve Security. In: Proceedings of the 13th
Colloquium for Information Systems Security Education. University of Alaska, Fairbanks
Seattle, WA June 1 - 3, 2009 (2009)
8. Avdoshin S., Savelieva A.: A Framework for Analysis of Case Studies in Information
Security. In: Proceedings of CEE-SECR’2012 (to appear)
The author of the program: ______________Savelieva A.
16