CIS 521

Introduction to Information Security

T-Th 10:50-12:05

InfoSec Laboratory - Science Building 1012

Office Hours

Note that office hours will be announced in class and posted on office door.

Office Location

Room 1019, Cole Building

Office Telephone

404-880-6934

Email

Course

Number/Section

Course Title

Credit

Hours

Semester

Time

Level

(U/G)

CIS

521 Intro to Information Security

3

Fall 08

10:50-12:05

UG/G

Brief Description

Broad overview of the field of information assurance.  Topics to be covered include techniques and tools required to protect information resources. 

Prerequisites

if applicable

CIS 123: Data Structures

CIS 474: Intro to Operating Systems

HTTP Links

http://www.cis.cau.edu/course/cis521

http://www.cis.cau.edu/course/securitylinks

http://www.cis.cau.edu/infosec/

http://www.cis.cau.edu/

http://acm.org/

Course Length

3 hours credit for 16 weeks, 2 one hour and 15 minutes per week.  The total of 48 hours

Course Description:

This course provides an overview of Information Security.   It is designed to teach Computer Science students’ important issues in Information Security from both the computational and administrative viewpoint.   Thus the while the primary emphasis of this course is technical – it examines the issues of providing security for information processing systems--secure operating systems and applications, network security, cryptography, security protocols, etc., this course also examines security from an administrative perspective- the importance of management and administration, and the place information security holds in overall business risk.

Course Objectives and Learning Outcomes:

This course provides the student with a background, foundation, and insight into the subject of Information Security. This knowledge will serve as a foundation for future study in selected aspects of this important field or as an important dimension to their effectiveness in the broader computer science field. The primary objectives of the course are to

• Understand the importance of information security and how it affects our changing world.
• Understand the basic concepts of Information Security, especially the close relation between the objective of machine security and human factors
• Understand the basic concepts of Encryption, Program Threats, and Trusted Operating Systems

           Be capable of developing a Security Policy for an Organization

• Understand the relationship between software development and information security
• Identify the key areas of information security and how they work.
• Learn how to critically analyze situations of computer use, identifying the issues, consequences, and viewpoints.

Learning Outcomes: Upon completion of this course, students should be able to…

After completing the course, students will be able to:

·         Identify and prioritize information assets.

·         Identify and prioritize threats to information assets.

·         Define an information security strategy and architecture.

·         Plan for and respond to intruders in an information system

·         Describe legal and public relations implications of security and privacy issues.

·         Present a disaster recovery plan for recovery of information assets after an incident

Course outline and Major Topics

1. Security Problems in Computing- What does “Secure” means?

a.       Methods of Defense

b.      Controls (Encryption, Software & hardware Controls)

c.       Policy and Procedures (standards, Training, Establishment policies, Security Policies)

d.      Awareness of Problem and issues (Education, Training Awareness, Principles of Effectiveness)

e.       Define Countermeasure and Periodic Review

2.  The risks involved in computing:

-    Risk assessment, acceptance, and risk management concepts;

-    Risk assessment—information states and valuation;

-    Assessment methodology

-          Validation testing;

-          Security Testing and Evaluation (ST&E)

-          Traffic analysis;

-          Cost and Benefit of risk analysis and acceptance

-          and information processing and storage.

3.  The goals of secure computing: information characteristic, confidentiality, integrity, and availability

a.       Define Access Management

b.      Access control software

c.       Account procedures management

d.      Access authentication process (policies, law, and penalties with personnel)

e.       Biometric identification access (policies, law, and penalties with personnel)

f.       Password access (policies, law, and penalties with personnel)

4.  The threats to security in computing (Information Systems/Technology): interception, interruption, modification, fabrication

- Security investigation procedures and authorities

- Define challenges in Industrial security

5. Controls Available to Address these Threats:

          -    Human-threats

-          Encryption, programming controls, operating systems,

-          Network controls, administrative controls (System Administrative (SA))

-          Law enforcement interfaces (LEI) and ethics.

-          International laws and legal bodies

-          User due care rule and monitoring (e-mail restriction program)

6. The meaning of Computer Security

a.       Definition of Intellectual property

b.      Originally of work

c.       Fair use of material

d.      Copyright infringement and computer software

7. Inference

a.       Direct and indirect Attack

b.      Control for Statistical Inference Attacks

c.       Aggregation (related to the inference problem)

d.      Computer network Attacks

8. Security Policies

a.       Military Security Policies

b.      Commercial Security Policies

9. Models of Security

a.       Multilevel Security

b.      Lattice Model of Access Security

-          Bell-la Padula Confidentiality Model

-          Biba Integrity Model

-          Gram-Denning Model

-          Harrison-Ruzzo Ullman Result

10. Plan security program for users and managers

a.       Re-constitution plan

b.      Disposition of classified material

c.       Define security tools

d.      Define restoration and backup reports

11. Computer Criminals:

-          The career computer criminals and understanding of the targets of computer crime

-          Accountability of the employees for accessing information and protecting their organization (fraud, waste, & abuse)

12. Vulnerabilities management and attack analysis

-          Electronic Records Management

-          Record Retention

-          Records management

-          Records retention

- hardware asset management,

     -  software asset management

     -  mail retention

     -  and other exposed assets

13. Define CARVER (criticality, accessibility, recognizability, Vulnerability, effect, and recognizability)

a.       Emergency destruction policy (EDP)

b.      Describe plans emergency policies

14. Program security and development controls against malicious code and vulnerabilities-software engineering principles and practices

a.       Assurance Methods (Testing, Formal Verification, Validation, and Open source

b.      Evaluation (U.S. Orange Book Evaluation, Original of the ITSEC, European ITSEC Evaluation_

c.       ITSEC: Information Technology Security Evaluation Criteria

15. Protecting in General-purpose Operating Systems

-          User authentication

-          Define Non-Repudiation

-          Controlled access to objects

-          Protecting memory, files and the execution environment  

16. Methods of Defense

-          Concepts of Encryption (clearly address the need for confidentiality of data)

-          Asymmetric encryption and RSA algorithm

-          Key exchange protocols and system certifications Advocacy and certification tools

-          National policies and procedures (enforcing security breaches through hardware or software means)

-          Controls (software, hardware, physical controls)

-          Handling media (complying with rules and regulation, etc.)

17. Designing Trusted Operating Systems

-          What makes operating systems “secure”? or “trustworthy”?

-          How are trusted systems designed (employee clearance)

-          How do we develop “assurance” of the correctness of a trusted operating system?

-          Evaluation of the “Trusted Computer Systems”

-          Security clearances

18. Management of Information Security: Review Policies and Procedures.

-          Key Management System (KMS) rules (define requirements)

-          Key Management Institute (KMI), define requirements

-          Electronic Key Management System (EKMS)

-          Introduce to users and manger about COMSEC/security profiles, polices and procedures

-          COMSEC custodian process and relevant to users and mangers

-          Program budget and evaluation

-          Ethical procedures (National Key escrow policies and procedures)

-          Describe Security Breaches

-          Deliberate planting of apparent security weaknesses

-          Hardware Asset management and its policy

19.  Information Systems Security Policies

-          Incorporate technical security policies

-          Train users about policies (physical controls, transportation)

-          Evaluate security policies (control disgruntled employees)

-          Ensure adaptive security policies implementation

-          Define computer security principles

-          Risk involve operation security

-          Auditing tools (policy and procedures)

20. Emerging Trends in Certification and Accreditation (Type of Accreditation)

a.       examination of pre- and post-incident procedures and response

b.      Identify security changes and reporting to CIO, DAA, CTO and etc…

c.       Assisting and providing resources for Automated Systems Security Incident Support Team (ASSIST)

d.      Define ISSO

e.       Define Certification Statement and its process

f.       Process and Purpose of re-certification and its tools

g.      Define Trade Journals, Bulletin Board Systems (BBS) notice

21. Network Security Control

a.       Architecture

b.      Segmentation

c.       Redundancy

d.      Encryption

e.       VPN Betworks

22. Network security evaluation

a.     Products

b.    Third party

c.     Cost & benefit analysis

d.    What are the assets, threats and controls?

e.     Who are threat agents? And What is residual, uncontrolled risk?

23. Information Security oversight Office (ISOO) rules

a.                           Marking of media

b.                           Labeling

c.                           Marking of sensitive information

d.                          Discuss the list of command security policies and safeguards

e.                           Define Remanence tools

24.   Describe the approval process for facility and services.

a.       Describe agency policy on vendors and their operation process

b.      Facilities redeployment of classified systems

c.       Waiver policy and justification

d.      Define Security Services to Contracting Officers

25.      Administrative policies, procedures and practices

Teaching/Learning Methods: (lectures, videos, outside speakers, etc.)

This class is a lecture-focused course, with supplementing homework, assignments, lab and group project work and presentations.

We will use electronic means of communication including email, class web site. Changes will be announced in class and posted on the class web site. Please check it frequently.

We will follow the posted course schedule as closely as possible but it is subject to change based on speaker availability, etc. Changes will be announced in class.

Evaluation Methods

Grading and other policies and expectations:

Assignment Type Weight (%)

• Homework- 25%
• Article Critiques- 20%
• Class Project- 30%
• Class Participation/Attendance/Quizzes- 25%

All assignments and projects are required for passing the course.

CLASS PARTICIPATION AND ATTENDANCE
Discovery does not arise from instruction but from personal engagement with the controversies and potentials of a computerized society.  You have to be in class to contribute to and benefit from that personal engagement. As you saw above, a quarter of your grade depends on class participation and attendance. In this class, engagement will take several forms:

• You will be expected to read, summarize, and interpret the articles for yourself and others.
• You will be expected to study problems, techniques, and approaches individually and in groups, and then present your findings both orally and in writing.
• You will be expected to critique the perspectives/opinions of both authors and classmates in discussions and position papers.

At any class period, you may be asked to summarize and critique readings from the book or elsewhere in an “elevator speech” for the class. On such occasions, you are invited to refer to notes you've made in response to the readings. You may also be quizzed on the high points of the material.

If you are unable to attend class, notify the TA by email before the period begins for consideration of an excused absence.

Required Readings:

• Security in Computing (3^nd Edition), by Charles P. and Shari Lawrence Pfleeger, Prentice Hall, 2003, ISBN 0-13-035548-8
     

Recommended:

·         Computer Security: Art and Science, by Matt Bishop, Addison-Wesley, 2003,
ISBN 0-201-44099-7

Supplemental Readings/Additional Bibliography:

• Computer Related Risks, by Peter G. Neumann, Addison-Wesley, 1995, ISBN 0-201-558
• Information Security: Protecting the Global Enterprise, by Donald L. Pipkin, Prentice Hall, 2000, ISBN 0-13-017323-1
• Information Warfare and Security, by Dorothy E. Denning, Addison-Wesley, 1999,
  ISBN 0-201-43303-6
•  Internet Besieged: Countering Cyberspace Scofflaws, edited by Dorothy E. Denning and Peter J. Denning, 1998, ISBN 0-201-30820-7

Government Reading

Executive Order 13010-Critical Infrastructure Protection (July 15, 1996)

http://www.fas.org/irp/offdocs/eo13010.htm

The President's Commission on Critical Infrastructure Protection (PCCIP) and their final report, "Critical Foundations" (Oct 1997) – Read article summary of the Report

http://www.marshall.org/article.php?id=65

PDD-63 – Critical Infrastructure Protection (May 22, 1998)

http://www.fas.org/irp/offdocs/pdd/pdd-63.htm

U.S. Commission on National Security/21st Century (Hart-Rudman Commission--September 1999)— Review just this web page information--

http://www.disinfopedia.org/wiki.phtml?title=National_Commission_on_Terrorism

Executive Order 13228 - Establishing the Office of Homeland Security and the Homeland Security Council (October 8, 2001)

http://www.fas.org/irp/offdocs/eo/eo-13228.htm

Executive Order 13231 - Critical Infrastructure Protection in the Information Age (October 16, 2001) http://www.fas.org/irp/offdocs/eo/eo-13231.htm

Homeland Security Act of 2002 (H.R. 5005) - http://www.dhs.gov/dhspublic/display?theme=85&content=412

Review--Contents and Title 1 on PDF pages 1-11

“The National Strategy For Homeland Security” (July 16, 2002)

http://www.whitehouse.gov/homeland/book/index.html

Read only— Letter from the President & Executive Summary

“National Strategy to Secure Cyberspace” (February 2003) http://www.whitehouse.gov/pcipb/

Read only— Letter from the President, Executive Summary, & Introduction

“National Strategy for the Physical Protection of Critical Infrastructures and Key Assets”

(February 2003)—Read only--Letter from the President and Executive Summary

http://www.dhs.gov/interweb/assetlibrary/Physical_Strategy.pdf

Executive Order 13231 of October 16, 2001 (as amended by E.O 13286 of February 26, 2003) “Critical Infrastructure Protection in the Information Age”

http://www.dhs.gov/interweb/assetlibrary/EO_13231_Revised.pdf

Homeland Security Presidential Directive (HSPD)-7 (Dec.17, 2003)

Subject: Critical Infrastructure Identification, Prioritization, and Protection

http://www.whitehouse.gov/news/releases/2003/12/print/text/20031217-5.html

“The DHS Strategic Plan--Securing Our Homeland” (February 24, 2004) Read just contents and summary

http://www.dhs.gov/interweb/assetlibrary/DHS_StratPlan_FINAL_spread.pdf

National Infrastructure Advisory Council (NIAC)-- (Just website info and members)

http://www.dhs.gov/dhspublic/display?theme=9&content=3445

Protected Critical Infrastructure Information (PCII) Program— (Just program overview

http://www.dhs.gov/dhspublic/display?theme=92&content=3755

Information Sharing and Analysis Centers (ISACs)—

http://www.dhs.gov/dhspublic/display?theme=73&content=1375&print=true