Course Design Document IS302: Information Security and Trust Version 4.7 17 December 2012 SMU School of Information Systems (SIS) Table of Content 1 2 Versions History .................................................................................................................................. 3 Overview of Security and Trust Course ............................................................................................ 4 2.1 Synopsis ........................................................................................................................................ 4 2.2 Prerequisites ................................................................................................................................ 4 2.3 Objectives ..................................................................................................................................... 4 2.4 Basic Modules .............................................................................................................................. 4 2.5 Instructional Staff ........................................................................................................................ 5 3 Output and Assessment Summary .................................................................................................... 5 Midterm quiz (15%; problem solving) ...................................................................................................... 6 Class participation (10%) .......................................................................................................................... 6 Project (25%) consists of part A (15%) and part B (10%) ......................................................................... 6 Final Exam (40%; close book) in week 15 ................................................................................................ 7 Grades release schedule ............................................................................................................................. 7 4 Group Allocation for Assignments .................................................................................................... 7 5 Classroom Planning ............................................................................................................................ 7 5.1 Course Schedule Summary ........................................................................................................... 8 5.2 Lab Exercises ....................................................................................................................................... 9 5.3 Weekly plan ......................................................................................................................................... 9 6 List of Information Resources and References ................................................................................13 Textbook: Security in Computing (4th edition) by Charles P. Pfleeger and Shari L. Pfleeger, Prentice Hall, 2007.................................................................................................................................13 7 Tooling ................................................................................................................................................13 Tool 13 Description ..............................................................................................................................................13 Remarks ..................................................................................................................................................13 8 Learning Outcomes, Achievement Methods and Assessment ........................................................13 Course: Security and Trust Page 2 SMU School of Information Systems (SIS) 1 Versions History Version V 1.0 V 2.0 V 2.1 V 2.2 V 3.0 V 4.0 V 4.1 V 4.2 V 4.3 V 4.4 V4.5 V4.6 V4.7 Description of Changes Revised the design documents for weeks 7 – 11 based on discussions with Ravi Sandu and Ankit Fadia Re-designed the project Re-designed the lab session Revised the prerequisites of the course, learning outcomes, and tooling Revised course content and schedule Strengthened handson exercise Revised course content and schedule Revised design document in new format Revised project design Revised learning outcomes Revised design document in new format Revised project topics Revised project topics Revised project design and topics Course: Security and Trust Author Date Yingjiu Li Yingjiu Li 31-12-2004 03-12-2005 Yingjiu Li 26-12-2005 Yingjiu Li 07-08-2006 Yingjiu Li 28-12-2006 Yingjiu Li 03-12-2007 Yingjiu Li 15-02-2008 Yingjiu Li 24-12-2008 Yingjiu Li 02-11-2009 Yingjiu Li 10-06-2010 Yingjiu Li 02-01-2012 Yingjiu Li 31-10-2012 Yingjiu Li 17-12-2012 Page 3 SMU School of Information Systems (SIS) 2 Overview of Security and Trust Course 2.1 Synopsis Security and Trust course provides both fundamental principles and technical skills for analyzing, evaluating, and developing secure systems in practice. Students will learn essentials about security models, algorithms, protocols, and mechanisms in computer networks, programs, and database systems. Classroom instruction will be integrated with hands-on exercises on security tools in Windows and Java language. 2.2 Prerequisites Students should understand the basics of computer network, programming languages (Java, in particular), and information systems. 2.3 Objectives Upon finishing the course, students are expected to: • Understand basic security concepts, models, algorithms and protocols. • Understand security requirements and constraints in some real world applications. • Be able to analyze the current security mechanisms. • Be aware of the current and future trends in security applications. 2.4 Basic Modules Backgroundand andBasic BasicConcepts Concepts(1 (1week) week) Background Applied Applied Cryptography Cryptography (4weeks) weeks) (4 Course: Security and Trust NWSecurity Security NW (3weeks) weeks) (3 AccessControl Control Access (1week) week) (1 Quizand andproject projectpresentation presentation(3 (3week) week) Quiz Page 4 SMU School of Information Systems (SIS) 2.5 Instructional Staff Professors: Robert Deng, Yingjiu Li, Xuhua Ding, Debin Gao Instructional staff: to be updated Teaching assistant: to be updated 3 Output and Assessment Summary Week 1 2 3 4 5 6 7 8 (Recess) 9 Date Output Assessments 10 project groups Weighting in % Assignment 1 5 Midterm 15 Assignment 2 Lab 12 Project presentation and demo I Project Presentation and demo II Project report 10 Final exam 40 14 (Review) 15 Course: Security and Trust Final exam 40% Assignment s 10% Review midterm 10 11 13 Group Weighting Project 25% (report 15%, presentatio n 10%) 5 midterm quiz 15% Class participatio n 10% Remarks Overview Enc to DES Enc to AES RSA, DH Hash,MAC,Sig Cert, PKI Password Password II and internet security AC password cracking, FW,IDS Invited talk from industry 15 Page 5 SMU School of Information Systems (SIS) 90 100% Total Midterm quiz (15%; problem solving) 1.5 hours (close-book) Cover the first 6 weeks. Class participation (10%) Evaluated by the lecturers based on students’ participation in classroom discussions and grading on hands-on and lab exercises Project (25%) Teaming: each team consists of 3 to 4 members. References: internet, textbook Each team chooses a topic from the following list and conducts an open-ended investigation on the topic: 1. Web browser security 2. SSL security issues and solutions 3. Privacy leakage and control in online social networks 4. Authentication and anonymity in location based services 5. Differential privacy 6. Android permission models and enforcement 7. iOS malware and detection 8. Android malware and detection 9. Timing based attestation 10. Password strength measurements Grading: 25% 1. Presentation15% Presentation organization 5% Technical description 5% Q&A 5% 2. Project report 10% Breadth 5% Depth 5% Deliverables: Each team will write a project report on their findings, and deliver an oral presentation in class. The report should be within 10~15 pages, using 11pt font, single column and single space format. The oral presentation should be delivered within 20~25 minutes plus 5~10 minutes Q&A. – Requirements: In both presentation and report, each team should: a) Describe the background of the related topic Course: Security and Trust Page 6 SMU School of Information Systems (SIS) b) c) d) e) f) Identify major issues (problems, concerns, questions) in the field Address the identified issues with technical details Provide your own comments and analyses Give illustrative examples and case studies where appropriate List all references The project outline within 5 pages (hardcopy) is due in week 9. The presentations are scheduled in weeks 12 and 13. The final report is due on Monday in week 14. Final Exam (40%; close book) in week 15 Cover all material taught in class, including the invited talk and lab Multiple choice questions and short answer questions Grades release schedule Ex/Assignments Midterm Participation Final exam Group project before the next class before week 10 at the end of term at the end of term at the end of term 4 Group Allocation for Assignments Each class is partitioned into 10 groups. The students in each group are randomly selected. 5 Classroom Planning Teaching session: 3 hours Review: 15 minutes Solution techniques: 1 hour 30 minutes Security problems and techniques Analysis Hands-on exercises: 1 hour Settings and steps Discussions Summary: 15 minutes Course: Security and Trust Note Learning Hands-on Learning effect Page 7 SMU School of Information Systems (SIS) 5.1 Course Schedule Summary Wk Topic (problem) 1 Background Chapter 1, 7.1 2 Enc Basics 3 DES-AES 4 RSA 5 Readings (textbook) Classroom: techniques (1.5 hours) Form project teams 2.1-2.4 Networking basics and security concepts Enc basics 2.5-2.6, 10.2 DES, AES OpenSSL and JCE 2.7-2.8, 10.3 RSA enc Integrity 2.8, 10.3 6 Cert, PKI 2.8, 7.6 Hash, MAC, RSA sig Cert, PKI, CRL 7 8 9 Quiz, user auth Recess User auth 10 AC 11 Internet Sec 12 Proj Pres I Classroom: hands-on (1.5 hours) 4.5 Midterm 4.5, 7.3 User authenticatio n II and internet security DAC, MAC, RBAC 4.1-4.4, 5.15.3 Course: Security and Trust Lab on pwd cracking 5 groups Afterclass reading and exercise Group formation and topic selection OpenSSL and JCE Assignmen t1 Assignment 1 Review of assignment 1, OpenSSL and JCE Open SSL and JCE Open SSL, email security, windows cert mgt User authentication I Review of midterm Project draft due Java SecurityManager Assignmen t2 Assignment 2 Lab on FW, IDS, and AC Review of assignment 2 SAS-SMU Enterprise Intelligence Lab Invited talk Page 8 SMU School of Information Systems (SIS) from industry 13 14 Proj Pres II Review 15 Final exam 5 groups Project report due Project report, Q&A 5.2 Lab Exercises The lab exercises shall be conducted in class, usually during the second half of the time allocated for the class. The students shall be provided with a lab document, detailing the activities to be conducted, and the instructor will guide the students where required. The results of the labs have to be submitted at the end of class. No later submissions will be accepted (unless otherwise instructed by the professor teaching the respective section). Week Lab Focus Lab Activity 1 2 1 2 Basic security concepts Encryption basics 3 3 DES and AES 4 4 RSA encryption 5 6 7 9 10 11 5 6 Integrity check Certification and PKI Password authentication Strong authentication Access control Internet security Email attack in SMTP Openssl, cryptool, and JCE installation and demo DES and AES with openssl, JCE, and cryptool RSA encryption with openssl, JCE and cryptool Hash, MAC, and RSA signature Email security with free certificates Midterm Review of midterm Security manager in JCE Password cracking, firewall and intrusion detection in SAS lab. 7 8 5.3 Weekly plan Week: 1 Session 1: Introduction to the course Basic security concepts Session 2: Networking basics and email attack Project team formation Reference: Chapter 1 and 7.1 Things to ensure: Course material is available for download from the course web site Students must be assigned into groups for project Course: Security and Trust Page 9 SMU School of Information Systems (SIS) Week: 2 Session 1: Ancient ciphers: Caesar, Vigenere, Zimmermann, columnar transposition Security analysis of ancient ciphers Session 2: Installation of JCE cryptool and Openssl Test for the tools Reference: Chapter 2.1-2.4 Things to ensure: Students understand two basic encryption techniques: substitution and transposition JCE, cryptool and openssl are correctly installed for hands-on exercise in the following weeks Week: 3 Session 1: DES: history and details AES: history and details Session 2: Use both Openssl and JCE for DES and AES encryption and decryption Reference: Chapter 2.5-2.6, 10.2 Things to ensure: Students know the security status of DES and AES Students know how to use DES and AES in Openssl and JCE Week: 4 Session 1: Asymmetric encryption with RSA Session 2: Use Openssl and JCE for generating RSA keys and for performing RSA encryption Reference: Chapter 2.7-2.8, 10.3 Things to ensure: Students understand the security of RSA encryption Students know how to generate RSA keys and use RSA keys in Openssl and JCE Assignment 1 due and review Week: 5 Session 1: Hash functions (MD5 and SHA1) MAC (HMAC and DES-MAC) RSA signature Compare MAC with RSA signature for message integrity check Session 2: Use JCE for message integrity check with HMAC and RSA signature Reference: Chapter 2.8, 10.3 Things to ensure: Course: Security and Trust Page 10 SMU School of Information Systems (SIS) Students understand the security status of hash functions Students understand the differences between MAC and RSA signature Students know how to use JCE for integrity check with MAC and RSA signature Week: 6 Session 1: Impersonation problem and the need of using certificates X. 509 certificate format CRL Session 2: Email security (S/MIME and PGP) Signed and/or encrypted email with COMODO certificates in Outlook Reference: Chapter 2.8, 7.6 Things to ensure: Understand why and how to use certificates and CRLs Know how to use Outlook to send signed and/or encrypted emails Week: 7 Session 1: quiz Session 2: weak authentication with passwords Unix passwords Windows LM hash and NTLM hash Password attacks Reference: Chapter 4.5 Things to ensure: Understand how passwords are stored in computers Week: 8 (Recess week: no class) Session 1: Session 2: Reference: Things to ensure: Week: 9 Session 1: Strong authentication (Lamport, challenge response, time synchronization) NTLMv1 and NTLMv2 Session 2: Internet security (SSL, firewall, IDS) Reference: Course: Security and Trust Page 11 SMU School of Information Systems (SIS) Chapter 4.5, 7.3 Things to ensure: Understand why strong authentication is securer than weak authentication Understand how passwords are verified in Windows Understand the fundamentals of SSL, firewall and IDS Understand how to protect information systems in banks (case study) Project draft is due Week: 10 Session 1: Access control models: DAC, MAC, RBAC Session 2: Java SecurityManager Reference: Chapter 4.1-4.4, 5.1-5.3 Things to ensure: Know how to use java SecurityManager to enforce access control Assignment 2 covers weeks 9 and 10 Week: 11 Session 1: Lab exercise for password cracking Session 2: Lab exercise for using firewall and IDS Reference: Lab instructions Things to ensure: Know how to use SAS-SMU Enterprise Intelligence Lab for password cracking, firewall configuration, and intrusion detection Assignment 2 due and review Week: 12 (project presentation: teams 1-5) Session 1: Session 2: Reference: Things to ensure: Invited talk from industry on information security best practice Week: 13 (project presentation and demo: teams 6-10) Session 1: Session 2: Reference: Things to ensure: Course: Security and Trust Page 12 SMU School of Information Systems (SIS) Learning information security trends from each other Week: 14 (review week: no class) Session 1: Session 2: Reference: Things to ensure: Project report is due Week: 15 (exam week: no class) Session 1: Session 2: Reference: Things to ensure: Final exam 6 List of Information Resources and References Textbook: Security in Computing (4th edition) by Charles P. Pfleeger and Shari L. Pfleeger, Prentice Hall, 2007 Other reading material and reference websites are available in the course slides 7 Tooling Tool Open SSL, JCE, CrypTool PPA, IPtable, snort Description Security tools in Windows and Java Password cracking, firewall, and IDS Remarks Hands-on exercises and demo Lab exercises 8 Learning Outcomes, Achievement Methods and Assessment Course: Security and Trust Page 13 SMU School of Information Systems (SIS) Course-specific core competencies which address the Outcomes IS302 - Information Security and Trust 1 Faculty Methods to Assess Outcomes Integration of business & technology in a sector context Identify the security properties of enterprise information systems Analyze the security tradeoffs to be made in design of enterprise information systems 1.1 Business IT value linkage skills YY List basic design principles of protecting enterprise information systems Execute and grade lab exercises Grade and give feedback to individual assignments Grade and give feedback to group project Identify major security technologies/components that are most effective for protecting enterprise information systems Explain the future trend of security technologies that will generate significant impact to practice Ability to understand & analyze the linkages between: a) Business strategy and business value creation b) Business strategy and information strategy c) Information strategy and technology strategy d) Business strategy and business processes e) Business processes or information strategy or technology strategy and IT solutions 1.2 Cost and benefits analysis skills Ability to understand and analyze: a) Costs and benefits analysis of the project 1.3 Business software solution impact analysis skills Ability to understand and analyze: Course: Security and Trust YY Page 14 SMU School of Information Systems (SIS) a) How business software applications impact the enterprise within a particular industry sector. 2 IT architecture, design and development skills Perform basic security functions with tools Crytool, openssl and JCE 2.1 System requirements specification skills Identify the security requirements for enterprise information systems Y Design effective and efficient solutions to protect enterprise information systems Grade assignments 1 and 2 Execute and grade lab exercises Real case studies and invited talks from industry with questions included and graded in the final exam Grade and give feedback to project Ability to: a) Elicit and understand functional requirements from customer b) Identify non functional requirements (performance, availability, reliability, security, usability etc…) c) Analyze and document business processes 2.2 Software and IT architecture analysis and design skills Ability to: a) Analyze functional and nonfunctional requirements to produce a system architecture that meets those requirements. b) Understand and apply process and methodology in building the application c) Create design models using known design principles (e.g. layering) and from various view points (logical, physical etc…) Course: Security and Trust Y Y Y Analyze the vulnerability of network in a web application scenario and apply intrusion detection and firewall techniques to eliminate the vulnerability Execute and grade lab exercises Y Y Y Page 15 SMU School of Information Systems (SIS) d) Explain and justify all the design choices and tradeoffs done during the application's development 2.3 Implementation skills Ability to: a) Realize coding from design and vice versa b) Learn / practice one programming language c) Integrate different applications (developed application, cots software, legacy application etc…) d) Use tools for testing, integration and deployment Y Y Use cryptool, openssl and JCE to design and implement security techniques for network security and access control Execute and grade lab exercises and project Understand and know how to use major security building blocks including hash, encryption and decryption, signature, certificates, password authentication, firewall, intrusion detection, and access control Execute and grade lab exercises Y Y Y 2.4 Technology application skills Y Ability to: a) Understand, select and use appropriate technology building blocks when developing an enterprise Y solution (security, middleware, network, IDE, ERP, CRM, SCM etc…) 3 Project management skills 3.1 Scope management skills Ability to: a) Identify and manage trade-offs on scope/cost/quality/time b) Document and manage changing requirements 3.2 Risks management skills Ability to: a) Identify, prioritize, mitigate and document project’s risks b) Constantly monitor projects risks as part of project monitoring 3.3 Project integration and time management skills Course: Security and Trust Page 16 SMU School of Information Systems (SIS) Ability to: a) Establish WBS, time & effort estimates, resource allocation, scheduling etc… b) Practice in planning using methods and tools (Microsoft project, Gantt chart etc…) c) Develop / execute a project plan and maintain it 3.4 Configuration management skills Ability to: a) Understand concepts of configuration mgt and change control 3.5 Quality management skills Ability to: a) Understand the concepts of Quality Assurance and Quality control (Test plan, test cases …) 4 Learning to learn skills 4.1 Search skills Ability to: a) Search for information efficiently and effectively 4.2 Skills for developing a methodology for learning Ability to: a) Develop learning heuristics in order to acquire new knowledge skills (focus on HOW to learn versus WHAT to learn ). b) Abide by appropriate legal, professional and ethical practices for using and citing the intellectual property of others 5 Collaboration (or team) skills: 5.1 Skills to improve the effectiveness of group processes and work products Ability to develop: a) Leadership skills Course: Security and Trust Y Effectively communicate and resolve conflicts while working in a randomly chosen team Grade and give feedback to project Page 17 SMU School of Information Systems (SIS) b) Communication skills c) Consensus and conflict resolution skills 6 7 8 Change management skills for enterprise systems 6.1 Skills to diagnose business changes Ability to: a) Understand the organizational problem or need for change (e.g. Analyze existing business processes or “as-is process”) 6.2 Skills to implement and sustain business changes Ability to: a) implement the change (e.g. advertise / communicate the need for change etc..) and to sustain the change over time Skills for working across countries, cultures and borders 7.1 Cross-national awareness skills Ability to: a) Develop cross-national understandings of culture, institutions (e.g. law), language etc… 7.2 Business across countries facilitation skills Ability to: a) Communicate across countries b) Adapt negotiation and conflict resolution techniques to a multicultural environment Communication skills 8.1 Presentation skills Y Prepare and deliver an effective and efficient presentation on a new information security topic. Grade and give feedback to project Ability to: Course: Security and Trust Page 18 SMU School of Information Systems (SIS) a) Provide an effective and efficient presentation on a specified topic. 8.2 Writing skills Y Write survey report on a new information security topic. Grade and give feedback to project and individual assignments Ability to: a) Provide documentation understandable by users (Requirements specifications, risks management plan, assumptions, constraints, architecture choices, design choices etc…) Y YY This sub-skill is covered partially by the course This sub-skill is a main focus for this course Course: Security and Trust Page 19