2 Overview of Security and Trust Course

advertisement
Course Design Document
IS302: Information Security and Trust
Version 4.7
17 December 2012
SMU School of Information Systems (SIS)
Table of Content
1
2
Versions History .................................................................................................................................. 3
Overview of Security and Trust Course ............................................................................................ 4
2.1 Synopsis ........................................................................................................................................ 4
2.2 Prerequisites ................................................................................................................................ 4
2.3 Objectives ..................................................................................................................................... 4
2.4 Basic Modules .............................................................................................................................. 4
2.5 Instructional Staff ........................................................................................................................ 5
3
Output and Assessment Summary .................................................................................................... 5
Midterm quiz (15%; problem solving) ...................................................................................................... 6
Class participation (10%) .......................................................................................................................... 6
Project (25%) consists of part A (15%) and part B (10%) ......................................................................... 6
Final Exam (40%; close book) in week 15 ................................................................................................ 7
Grades release schedule ............................................................................................................................. 7
4
Group Allocation for Assignments .................................................................................................... 7
5
Classroom Planning ............................................................................................................................ 7
5.1
Course Schedule Summary ........................................................................................................... 8
5.2 Lab Exercises ....................................................................................................................................... 9
5.3 Weekly plan ......................................................................................................................................... 9
6
List of Information Resources and References ................................................................................13
Textbook: Security in Computing (4th edition) by Charles P. Pfleeger and Shari L. Pfleeger,
Prentice Hall, 2007.................................................................................................................................13
7
Tooling ................................................................................................................................................13
Tool 13
Description ..............................................................................................................................................13
Remarks ..................................................................................................................................................13
8
Learning Outcomes, Achievement Methods and Assessment ........................................................13
Course: Security and Trust
Page 2
SMU School of Information Systems (SIS)
1 Versions History
Version
V 1.0
V 2.0
V 2.1
V 2.2
V 3.0
V 4.0
V 4.1
V 4.2
V 4.3
V 4.4
V4.5
V4.6
V4.7
Description of
Changes
 Revised the design
documents for weeks
7 – 11 based on
discussions with
Ravi Sandu and
Ankit Fadia
 Re-designed the
project
 Re-designed the lab
session
 Revised the prerequisites of the
course, learning
outcomes, and
tooling
 Revised course
content and schedule
 Strengthened handson exercise
 Revised course
content and schedule
 Revised design
document in new
format
 Revised project
design
 Revised learning
outcomes
 Revised design
document in new
format
 Revised project
topics
 Revised project
topics
 Revised project
design and topics
Course: Security and Trust
Author
Date
Yingjiu Li
Yingjiu Li
31-12-2004
03-12-2005
Yingjiu Li
26-12-2005
Yingjiu Li
07-08-2006
Yingjiu Li
28-12-2006
Yingjiu Li
03-12-2007
Yingjiu Li
15-02-2008
Yingjiu Li
24-12-2008
Yingjiu Li
02-11-2009
Yingjiu Li
10-06-2010
Yingjiu Li
02-01-2012
Yingjiu Li
31-10-2012
Yingjiu Li
17-12-2012
Page 3
SMU School of Information Systems (SIS)
2 Overview of Security and Trust Course
2.1
Synopsis
Security and Trust course provides both fundamental principles and technical
skills for analyzing, evaluating, and developing secure systems in practice.
Students will learn essentials about security models, algorithms, protocols, and
mechanisms in computer networks, programs, and database systems.
Classroom instruction will be integrated with hands-on exercises on security tools
in Windows and Java language.
2.2
Prerequisites
Students should understand the basics of computer network, programming
languages (Java, in particular), and information systems.
2.3
Objectives
Upon finishing the course, students are expected to:
• Understand basic security concepts, models, algorithms and protocols.
• Understand security requirements and constraints in some real world
applications.
• Be able to analyze the current security mechanisms.
• Be aware of the current and future trends in security applications.
2.4
Basic Modules
Backgroundand
andBasic
BasicConcepts
Concepts(1
(1week)
week)
Background
Applied
Applied
Cryptography
Cryptography
(4weeks)
weeks)
(4
Course: Security and Trust
NWSecurity
Security
NW
(3weeks)
weeks)
(3
AccessControl
Control
Access
(1week)
week)
(1
Quizand
andproject
projectpresentation
presentation(3
(3week)
week)
Quiz
Page 4
SMU School of Information Systems (SIS)
2.5
Instructional Staff



Professors: Robert Deng, Yingjiu Li, Xuhua Ding, Debin Gao
Instructional staff: to be updated
Teaching assistant: to be updated
3 Output and Assessment Summary
Week
1
2
3
4
5
6
7
8
(Recess)
9
Date
Output
Assessments
10 project groups
Weighting
in %
Assignment 1
5
Midterm
15
Assignment 2
Lab
12
Project
presentation and
demo I
Project
Presentation and
demo II
Project report
10
Final exam
40
14
(Review)
15
Course: Security and Trust
Final exam
40%
Assignment
s 10%
Review midterm
10
11
13
Group
Weighting
Project 25%
(report 15%,
presentatio
n 10%)
5
midterm
quiz 15%
Class
participatio
n 10%
Remarks
Overview
Enc to DES
Enc to AES
RSA, DH
Hash,MAC,Sig
Cert, PKI
Password
Password II and
internet security
AC
password
cracking,
FW,IDS
Invited talk from
industry
15
Page 5
SMU School of Information Systems (SIS)
90
100%
Total
Midterm quiz (15%; problem solving)


1.5 hours (close-book)
Cover the first 6 weeks.
Class participation (10%)

Evaluated by the lecturers based on students’ participation in classroom
discussions and grading on hands-on and lab exercises
Project (25%)


Teaming: each team consists of 3 to 4 members.
References: internet, textbook
Each team chooses a topic from the following list and conducts an open-ended
investigation on the topic:
1. Web browser security
2. SSL security issues and solutions
3. Privacy leakage and control in online social networks
4. Authentication and anonymity in location based services
5. Differential privacy
6. Android permission models and enforcement
7. iOS malware and detection
8. Android malware and detection
9. Timing based attestation
10. Password strength measurements
 Grading: 25%
1. Presentation15%
 Presentation organization 5%
 Technical description 5%
 Q&A 5%
2. Project report 10%
 Breadth 5%
 Depth 5%
 Deliverables: Each team will write a project report on their findings, and
deliver an oral presentation in class. The report should be within 10~15
pages, using 11pt font, single column and single space format. The oral
presentation should be delivered within 20~25 minutes plus 5~10 minutes
Q&A.
–
Requirements: In both presentation and report, each team should:
a) Describe the background of the related topic
Course: Security and Trust
Page 6
SMU School of Information Systems (SIS)
b)
c)
d)
e)
f)
Identify major issues (problems, concerns, questions) in the field
Address the identified issues with technical details
Provide your own comments and analyses
Give illustrative examples and case studies where appropriate
List all references
The project outline within 5 pages (hardcopy) is due in week 9. The
presentations are scheduled in weeks 12 and 13. The final report is due on
Monday in week 14.
Final Exam (40%; close book) in week 15


Cover all material taught in class, including the invited talk and lab
Multiple choice questions and short answer questions
Grades release schedule
Ex/Assignments
Midterm
Participation
Final exam
Group project
before the next class
before week 10
at the end of term
at the end of term
at the end of term
4 Group Allocation for Assignments
Each class is partitioned into 10 groups. The students in each group are
randomly selected.
5 Classroom Planning
Teaching session: 3 hours
Review: 15 minutes
Solution techniques: 1 hour 30 minutes
 Security problems and techniques
 Analysis
Hands-on exercises: 1 hour
 Settings and steps
 Discussions
Summary: 15 minutes
Course: Security and Trust
Note
Learning
Hands-on
Learning effect
Page 7
SMU School of Information Systems (SIS)
5.1
Course Schedule Summary
Wk
Topic
(problem)
1
Background
Chapter 1,
7.1
2
Enc Basics
3
DES-AES
4
RSA
5
Readings
(textbook)
Classroom:
techniques
(1.5 hours)
Form project
teams
2.1-2.4
Networking
basics and
security
concepts
Enc basics
2.5-2.6, 10.2
DES, AES
OpenSSL and
JCE
2.7-2.8, 10.3
RSA enc
Integrity
2.8, 10.3
6
Cert, PKI
2.8, 7.6
Hash, MAC,
RSA sig
Cert, PKI,
CRL
7
8
9
Quiz, user
auth
Recess
User auth
10
AC
11
Internet Sec
12
Proj Pres I
Classroom:
hands-on
(1.5 hours)
4.5
Midterm
4.5, 7.3
User
authenticatio
n II and
internet
security
DAC, MAC,
RBAC
4.1-4.4, 5.15.3
Course: Security and Trust
Lab on pwd
cracking
5 groups
Afterclass
reading
and
exercise
Group
formation
and topic
selection
OpenSSL and
JCE
Assignmen
t1
Assignment 1
Review of
assignment 1,
OpenSSL and
JCE
Open SSL and
JCE
Open SSL, email
security,
windows cert mgt
User
authentication I
Review of
midterm
Project
draft due
Java
SecurityManager
Assignmen
t2
Assignment 2
Lab on FW, IDS,
and AC
Review of
assignment 2
SAS-SMU
Enterprise
Intelligence
Lab
Invited talk
Page 8
SMU School of Information Systems (SIS)
from
industry
13
14
Proj Pres II
Review
15
Final exam
5 groups
Project report
due
Project
report,
Q&A
5.2 Lab Exercises
The lab exercises shall be conducted in class, usually during the second half of the time allocated
for the class.
The students shall be provided with a lab document, detailing the activities to be conducted, and
the instructor will guide the students where required.
The results of the labs have to be submitted at the end of class. No later submissions will be
accepted (unless otherwise instructed by the professor teaching the respective section).
Week
Lab
Focus
Lab Activity
1
2
1
2
Basic security concepts
Encryption basics
3
3
DES and AES
4
4
RSA encryption
5
6
7
9
10
11
5
6
Integrity check
Certification and PKI
Password authentication
Strong authentication
Access control
Internet security
Email attack in SMTP
Openssl, cryptool, and JCE installation and
demo
DES and AES with openssl, JCE, and
cryptool
RSA encryption with openssl, JCE and
cryptool
Hash, MAC, and RSA signature
Email security with free certificates
Midterm
Review of midterm
Security manager in JCE
Password cracking, firewall and intrusion
detection in SAS lab.
7
8
5.3 Weekly plan
Week: 1
Session 1:
 Introduction to the course
 Basic security concepts
Session 2:
 Networking basics and email attack
 Project team formation
Reference:
 Chapter 1 and 7.1
Things to ensure:
 Course material is available for download from the course web site
 Students must be assigned into groups for project
Course: Security and Trust
Page 9
SMU School of Information Systems (SIS)
Week: 2
Session 1:
 Ancient ciphers: Caesar, Vigenere, Zimmermann, columnar transposition
 Security analysis of ancient ciphers
Session 2:
 Installation of JCE cryptool and Openssl
 Test for the tools
Reference:
 Chapter 2.1-2.4
Things to ensure:
 Students understand two basic encryption techniques: substitution and transposition
 JCE, cryptool and openssl are correctly installed for hands-on exercise in the following
weeks
Week: 3
Session 1:
 DES: history and details
 AES: history and details
Session 2:
 Use both Openssl and JCE for DES and AES encryption and decryption
Reference:
 Chapter 2.5-2.6, 10.2
Things to ensure:
 Students know the security status of DES and AES
 Students know how to use DES and AES in Openssl and JCE
Week: 4
Session 1:
 Asymmetric encryption with RSA
Session 2:
 Use Openssl and JCE for generating RSA keys and for performing RSA encryption
Reference:
 Chapter 2.7-2.8, 10.3
Things to ensure:
 Students understand the security of RSA encryption
 Students know how to generate RSA keys and use RSA keys in Openssl and JCE
 Assignment 1 due and review
Week: 5
Session 1:
 Hash functions (MD5 and SHA1)
 MAC (HMAC and DES-MAC)
 RSA signature
 Compare MAC with RSA signature for message integrity check
Session 2:
 Use JCE for message integrity check with HMAC and RSA signature
Reference:
 Chapter 2.8, 10.3
Things to ensure:
Course: Security and Trust
Page 10
SMU School of Information Systems (SIS)
 Students understand the security status of hash functions
 Students understand the differences between MAC and RSA signature
 Students know how to use JCE for integrity check with MAC and RSA signature
Week: 6
Session 1:
 Impersonation problem and the need of using certificates
 X. 509 certificate format
 CRL
Session 2:
 Email security (S/MIME and PGP)
 Signed and/or encrypted email with COMODO certificates in Outlook
Reference:
 Chapter 2.8, 7.6
Things to ensure:
 Understand why and how to use certificates and CRLs
 Know how to use Outlook to send signed and/or encrypted emails
Week: 7
Session 1:
 quiz
Session 2:
 weak authentication with passwords
 Unix passwords
 Windows LM hash and NTLM hash
 Password attacks
Reference:
 Chapter 4.5
Things to ensure:
 Understand how passwords are stored in computers
Week: 8 (Recess week: no class)
Session 1:

Session 2:

Reference:

Things to ensure:

Week: 9
Session 1:
 Strong authentication (Lamport, challenge response, time synchronization)
 NTLMv1 and NTLMv2
Session 2:
 Internet security (SSL, firewall, IDS)
Reference:
Course: Security and Trust
Page 11
SMU School of Information Systems (SIS)
 Chapter 4.5, 7.3
Things to ensure:
 Understand why strong authentication is securer than weak authentication
 Understand how passwords are verified in Windows
 Understand the fundamentals of SSL, firewall and IDS
 Understand how to protect information systems in banks (case study)
 Project draft is due
Week: 10
Session 1:
 Access control models: DAC, MAC, RBAC
Session 2:
 Java SecurityManager
Reference:
 Chapter 4.1-4.4, 5.1-5.3
Things to ensure:
 Know how to use java SecurityManager to enforce access control
 Assignment 2 covers weeks 9 and 10
Week: 11
Session 1:
 Lab exercise for password cracking
Session 2:
 Lab exercise for using firewall and IDS
Reference:
 Lab instructions
Things to ensure:
 Know how to use SAS-SMU Enterprise Intelligence Lab for password cracking, firewall
configuration, and intrusion detection
 Assignment 2 due and review
Week: 12 (project presentation: teams 1-5)
Session 1:

Session 2:

Reference:

Things to ensure:
 Invited talk from industry on information security best practice
Week: 13 (project presentation and demo: teams 6-10)
Session 1:

Session 2:

Reference:

Things to ensure:
Course: Security and Trust
Page 12
SMU School of Information Systems (SIS)
 Learning information security trends from each other
Week: 14 (review week: no class)
Session 1:

Session 2:

Reference:

Things to ensure:
 Project report is due
Week: 15 (exam week: no class)
Session 1:

Session 2:

Reference:

Things to ensure:
 Final exam
6 List of Information Resources and References
Textbook: Security in Computing (4th edition) by Charles P. Pfleeger and Shari L.
Pfleeger, Prentice Hall, 2007
Other reading material and reference websites are available in the course slides
7 Tooling
Tool
Open SSL, JCE,
CrypTool
PPA, IPtable, snort
Description
Security tools in
Windows and Java
Password cracking,
firewall, and IDS
Remarks
Hands-on exercises and
demo
Lab exercises
8 Learning Outcomes, Achievement Methods and Assessment
Course: Security and Trust
Page 13
SMU School of Information Systems (SIS)
Course-specific core
competencies which
address the Outcomes
IS302 - Information
Security and Trust
1
Faculty Methods
to Assess
Outcomes
Integration of business &
technology in a sector context
Identify the security properties
of enterprise information
systems
Analyze the security tradeoffs to
be made in design of enterprise
information systems
1.1 Business IT value linkage
skills
YY
List basic design principles of
protecting enterprise
information systems
Execute and grade lab
exercises
Grade and give feedback
to individual
assignments
Grade and give feedback
to group project
Identify major security
technologies/components that
are most effective for protecting
enterprise information systems
Explain the future trend of
security technologies that will
generate significant impact to
practice
Ability to understand & analyze the
linkages between:
a) Business strategy and business
value creation
b) Business strategy and
information strategy
c) Information strategy and
technology strategy
d) Business strategy and business
processes
e) Business processes or
information strategy or technology
strategy and IT solutions
1.2 Cost and benefits analysis
skills
Ability to understand and analyze:
a) Costs and benefits analysis of the
project
1.3 Business software solution
impact analysis skills
Ability to understand and analyze:
Course: Security and Trust
YY
Page 14
SMU School of Information Systems (SIS)
a) How business software
applications impact the enterprise
within a particular industry sector.
2
IT architecture, design and
development skills
Perform basic security functions
with tools Crytool, openssl and
JCE
2.1 System requirements
specification skills
Identify the security
requirements for enterprise
information systems
Y
Design effective and efficient
solutions to protect enterprise
information systems
Grade assignments 1
and 2
Execute and grade lab
exercises
Real case studies and
invited talks from
industry with questions
included and graded in
the final exam
Grade and give feedback
to project
Ability to:
a) Elicit and understand functional
requirements from customer
b) Identify non functional
requirements (performance,
availability, reliability, security,
usability etc…)
c) Analyze and document business
processes
2.2 Software and IT architecture
analysis and design skills
Ability to:
a) Analyze functional and nonfunctional requirements to produce a
system architecture that meets those
requirements.
b) Understand and apply process and
methodology in building the
application
c) Create design models using
known design principles (e.g.
layering) and from various view
points (logical, physical etc…)
Course: Security and Trust
Y
Y
Y
Analyze the vulnerability of
network in a web application
scenario and apply intrusion
detection and firewall
techniques to eliminate the
vulnerability
Execute and grade lab
exercises
Y
Y
Y
Page 15
SMU School of Information Systems (SIS)
d) Explain and justify all the design
choices and tradeoffs done during
the application's development
2.3 Implementation skills
Ability to:
a) Realize coding from design and
vice versa
b) Learn / practice one
programming language
c) Integrate different applications
(developed application, cots
software, legacy application etc…)
d) Use tools for testing, integration
and deployment
Y
Y
Use cryptool, openssl and JCE
to design and implement
security techniques for network
security and access control
Execute and grade lab
exercises and project
Understand and know how to
use major security building
blocks including hash,
encryption and decryption,
signature, certificates, password
authentication, firewall,
intrusion detection, and access
control
Execute and grade lab
exercises
Y
Y
Y
2.4 Technology application skills
Y
Ability to:
a) Understand, select and use
appropriate technology building
blocks when developing an enterprise
Y
solution (security, middleware,
network, IDE, ERP, CRM, SCM etc…)
3
Project management skills
3.1 Scope management skills
Ability to:
a) Identify and manage trade-offs
on scope/cost/quality/time
b) Document and manage changing
requirements
3.2 Risks management skills
Ability to:
a) Identify, prioritize, mitigate and
document project’s risks
b) Constantly monitor projects
risks as part of project monitoring
3.3 Project integration and time
management skills
Course: Security and Trust
Page 16
SMU School of Information Systems (SIS)
Ability to:
a) Establish WBS, time & effort
estimates, resource allocation,
scheduling etc…
b) Practice in planning using
methods and tools (Microsoft
project, Gantt chart etc…)
c) Develop / execute a project plan
and maintain it
3.4 Configuration management
skills
Ability to:
a) Understand concepts of
configuration mgt and change
control
3.5 Quality management skills
Ability to:
a) Understand the concepts of
Quality Assurance and Quality
control (Test plan, test cases …)
4
Learning to learn skills
4.1 Search skills
Ability to:
a) Search for information efficiently
and effectively
4.2 Skills for developing a
methodology for learning
Ability to:
a) Develop learning heuristics in
order to acquire new knowledge
skills (focus on HOW to learn versus
WHAT to learn ).
b) Abide by appropriate legal,
professional and ethical practices for
using and citing the intellectual
property of others
5
Collaboration (or team) skills:
5.1 Skills to improve the
effectiveness of group processes
and work products
Ability to develop:
a) Leadership skills
Course: Security and Trust
Y
Effectively communicate and
resolve conflicts while working
in a randomly chosen team
Grade and give feedback
to project
Page 17
SMU School of Information Systems (SIS)
b) Communication skills
c) Consensus and conflict resolution
skills
6
7
8
Change management skills for
enterprise systems
6.1 Skills to diagnose business
changes
Ability to:
a) Understand the organizational
problem or need for change (e.g.
Analyze existing business processes
or “as-is process”)
6.2 Skills to implement and
sustain business changes
Ability to:
a) implement the change (e.g.
advertise / communicate the need for
change etc..) and to sustain the
change over time
Skills for working across
countries, cultures and borders
7.1 Cross-national awareness
skills
Ability to:
a) Develop cross-national
understandings of culture,
institutions (e.g. law), language
etc…
7.2 Business across countries
facilitation skills
Ability to:
a) Communicate across countries
b) Adapt negotiation and conflict
resolution techniques to a
multicultural environment
Communication skills
8.1 Presentation skills
Y
Prepare and deliver an effective
and efficient presentation on a
new information security topic.
Grade and give feedback
to project
Ability to:
Course: Security and Trust
Page 18
SMU School of Information Systems (SIS)
a) Provide an effective and efficient
presentation on a specified topic.
8.2 Writing skills
Y
Write survey report on a new
information security topic.
Grade and give feedback
to project and individual
assignments
Ability to:
a) Provide documentation
understandable by users
(Requirements specifications, risks
management plan, assumptions,
constraints, architecture choices,
design choices etc…)
Y
YY
This sub-skill is covered partially by the
course
This sub-skill is a main focus for this
course
Course: Security and Trust
Page 19
Download