Course Design Document. IS403: Advanced Information Security and Trust

Transcription

1 Course Design Document IS403: Advanced Information Security and Trust Version /10/ 2008 Xuhua Ding

2 Table of Content 1 Review Summary Overview of Advanced Information Security and Trust Course... 3 Synopsis... 3 Prerequisites... 3 Objectives... 3 Basic Modules Output and Assessment Summary... 5 Exercises, quizzes and in class participation (30%; problem solving)... 5 Quiz (30%)... 6 Team Project (40%) Group Allocation for project Learning Outcome Summary Classroom Planning Course Schedule Summary Lis of Information resource and references Weekly Plan IS403: Advanced Information Security and Trust Page 2

3 1 Review Summary Version Description of changes Author Date V1.0 Robert Deng V1.1 Revise the curriculum Xuhua Ding V1.2 Revise the curriculum by adding trusted Xuhua computing, web security and software Ding security V 1.3 Revise the curriculum by replacing the content and adding new projects. Xuhua Ding 26 th Jul th Aug, th Jan, th 10, Overview of Advanced Information Security and Trust Course Synopsis Built on the foundation of the Information Security and Trust course (IS302), the Advanced Information Security and Trust course draws on hard-won experience to explain the latest developments in security protocols, network security, web security, application security and industrial standards. Classroom instruction and discussion will closely integrate technical principles with real world applications such as secure e-banking, secure corporate networking, secure messaging in healthcare environment and multimedia system security. In addition, case studies will be used to demonstrate that security and trust are not only for protection of information assets, but also means of improving business operation or even starting new businesses. Besides the textbook knowledge, AIST also brings to the classroom security practices in industries, e.g. Microsoft, and government agencies (e.g IRAS and CSIT). Prerequisites Students are required to have taken (or have been exempted from taking) the Information Security and Trust course (IS302) to understand basic security concepts and techniques. Objectives Upon finishing the course, students are expected to: IS403: Advanced Information Security and Trust Page 3

4 Understand important security principles, industrial standards, security protocols and their applications. Be able to analyze and evaluate security mechanisms and systems, contrast competing schemes, explain strengths and weaknesses, and identify potential errors or vulnerabilities. Understand the common attacks to security protocols and be able to design security protocols to satisfy security requirements and constraints in real world, such as e-banking, corporate networking, healthcare, and multimedia distribution Be aware of current and future trends in security research and applications. Basic Modules Cryptography Foundation (3 weeks) Advanced Security Technology (5 weeks) - Secure communication protocols - Authentication techniques - Trusted Computing - Database security - Software security (partially by CSIT) Management (2 weeks) - Computer forensics (partially by by IRAS) - Security development lifecycle for IT (SDL-IT) (by Microsoft) Project presentation (1 week) and field trip (1 week) IS403: Advanced Information Security and Trust Page 4

5 3 Output and Assessment Summary Week Output Assessments 1 Announcement of project 2 3 Weighting in % Group Weighting Remarks 4 Project Proposal due; 5 Issue Assignment Assignment 1 due; Issue Assignment Assignment 2 5 (Recess) due 9 Midterm Project presentation and Review 14 No class Project report/ demo (25) 15 Submit project report or demo Total Exercises, quizzes and in class participation (30%; problem solving) IS403: Advanced Information Security and Trust Page 5

6 Evaluation based on attendance, exercises, and classroom interaction (20%) Take-home assignment (10%) Quiz (30%) Cover all materials from week 1 to 7. Include both multiple choice questions and analytical questions Team Project (40%). The students form their own teams with 4~5 members. Each team chooses either Project A or Project B. Project A: A Study of Information Security Technology and its applications Description: A list of information security technologies is given below. The team may select any topic in the list or, with approval of the course instructor, a topic that is not in the list. The team will prepare project proposal, maximum two pages, describing the technical and business issues to be explored in the project report and presentation. The proposal will briefly describe the security threats, and the most salient technical and business issues that have been uncovered by the team so far, and will sketch out the work plan that the team will follow. Proposals that are not approved must be resubmitted for subsequent approval. In these meetings, the teams will brief the instructor on their progress and the instructor will provide suggestions and feedback, List of Candidate Technologies a) Spam s and its countermeasures b) Digital Rights Management c) DDoS attacks and the countermeasures d) Security in video streaming e) Security in sensor networks f) Botnet and its countermeasures g) Disaster recovery h) Steganography The team may choose an information security technology that is not on the list. However, this is subject to approval by the instructor. Project B: Design and implementation of a secure application. Description: The team is required to design a secure application. Two candidate applications are listed below. For each application, its basic functions are specified. The team must first identify the security requirements of the application. Then, it employs existing security IS403: Advanced Information Security and Trust Page 6

7 techniques to design the application/systems in order to satisfy the prescribed security requirements. List of Candidate Applications a) (web forum) HeiKe Alliance is a secret club whose members are hackers. The club head wants to build a web forum so that they can secretly exchange their experience and findings, such as new vulnerabilities and attacking tools, and recruit new members. Suppose you are the club head and have to develop this web forum. b) (group chatting) A company s CEO wants to have a conference with all his marketing managers around the world to discuss their new market expansion plan. Due to the resource constraints in some countries, he chooses to use MSN Messenger group chatting, which allows one participant s message to be sent out to all the others. Suppose you are the CIO of the company and is told to develop an enhanced messenger to protect the security of this incoming meeting. Project A Deliverables: Each team will write a proposal and a project report on their findings and deliver an oral presentation. a) The report will be no more than 30 pages and the oral presentation will be delivers by the team members in 25 minutes followed by 5 minutes Q&A. b) The proposal is less than 2 pages with reasonable formatting, i.e.. single column, single space, 11pt. The proposal must include the names of the team members, the project title, an outline of the report and a schedule. In both the report and the presentation, each team should: a) Describe the background of the chosen technology. b) Explain how the technology evolved, how it works and what security services or functionality it provides. c) Describe the possible business applications of the technology. d) Analyze the possible impact/benefits of deploying the technology in one or more business sectors or markets, and provides a simple case study where appropriate. Project B Deliverables: Each team will write a proposal and a project report and deliver an oral presentation (including a prototype demo). a) The proposal is less than 2 pages with reasonable formatting, i.e. single column, single space, 11pt font. The proposal must include the names of the team members, the project title, an outline of the report and a schedule. b) The report is a design document of the system. The report should explain the security goals of the design and how they are achieved. IS403: Advanced Information Security and Trust Page 7

8 All security related modules must be elaborated in detail (pseudocode). Grade Policy: Each team will be given a team grade based on the written report. The team members will also be given individual grade based on their oral presentation and Q&A. Project A: Proposal (5%), Presentation (10%), Report (25%) Project B: Proposal (5%), Presentation (10%), Report(20%), demo (5%) Remark: To encourage coding, those teams who implement their projects will be awarded up to 5 bonus points, depending on the quality, and will have a higher priority to be nominated for the AIST scholarship. Important Dates: a) Week 3: Proposal submission b) Week 4: Proposal feedback c) Weeks 12: Oral presentation d) Week 14: Written report 4 Group Allocation for project The students form their own groups. Each group consists of 4~5 members. IS403: Advanced Information Security and Trust Page 8

9 5 Learning Outcome Summary IS403 Advanced information security and trust Student Tasks to Achieve Outcomes Faculty Methods to assess Outcomes 1 Integration of business & technology in a sector context 1.1 Business IT value linkage skills 1.2 Cost and benefits analysis skills 1.3 Business software solution impact analysis skills 2 IT architecture, design and development skills 2.1 System requirements specification skills YY Analyzing the security requirements of a system Project B proposal Design secure systems. Apply 2.2 Software and IT architecture analysis and existing security technologies/tools YY design skills to solve security problems in Project B, Exam applications. 2.3 Implementation skills Y Implement a secure system Project B 2.4 Technology application skills Y Apply existing security technologies/tools to solve security Project B, A problems in applications. 3 Project management skills 3.1 Scope management skills 3.2 Risks management skills 3.3 Project integration and time management skills 3.4 Configuration management skills 3.5 Quality management skills 4 Learning to learn skills 4.1 Search skills YY 4.2 Skills for developing a methodology for learning 5 Collaboration (or team) skills: Search and study the technical documents, including standards. Assignment 1, Project A 5.1 Skills to improve the effectiveness of group processes and work products Y Students must apply this skills when tackling the group projects Project A, B 6 Change management skills for enterprise systems Skills to diagnose business changes 6.2 Skills to implement and sustain business changes Skills for working across countries, cultures and borders 7.1 Cross-national awareness skills 7.2 Business across countries facilitation skills 8 Communication skills 8.1 Presentation skills YY 8.2 Writing skills YY Students must do the project presentation. Students must submit a project report. Project A, B Project A, B IS403: Advanced Information Security and Trust Page 9

10 Y YY This sub-skill is covered partially by the course This sub-skill is a main focus for this course 6 Classroom Planning There is one session of 3 hours classroom in each week. This will be split into two sessions of 1.5 hours each. The first session will mostly cover new topics and review previous lectures. Some portion of the second half may be used for exercises and hand-on experiments. The implementation may vary from week to week. 7 Course Schedule Summary Wk Focus Readings Classroom Activity Assignments 1 Cryptography Foundations I Chapter 2.1, 2.5, Appendix B Review basic security concepts, and principles. Introduce probability and randomness project starts 2 Cryptography Foundations II 3 Cryptography Foundations III Chapter 20.1, 20.2 Chapter 20.3, 19.1~5 hash functions. Lab: find a collision of a hash Public key and symmetric key crypto Project proposal due 4 Secure communication protocols Chapter 22.3, 20.4 Lab: the size of keys 5 Authentication Chapter 3 Password security, biometric authentication Proposal feedback due Assignment 1 6 Database Security 7 Trusted Computing / Software Security 8 Recess 9 Software Security 10 Security development lifecycle for IT Chapter 5 Chapter 7, 11.1, 11.2, 12.1~3 Chapter 10 Exam A talk by Joseph from CSIT on software security and its business issues A guest lecture by Dr. Bradley Jensen from Microsoft 1 hour on SDL 1 hour on threat modeling 1 hour threat modeling lab IS403: Advanced Information Security and Trust Page 10

11 11 Security Auditing and Computer forensics A 1 hour talk by IRAB on computer on computer forensics. 12 Debate Debate on Trusted Computing Technology 13 Project presentation List of Information resource and references Course textbook: Computer Security: Principles and Practice, by William Stallings and Lawrie Brown, Pearson International Edition Reference book: 1. Principles of Computer Security: Security+ and Beyond, by Wm Arthur Conklin, Gregory B. White, Chuck Cothren, Dwayne Williams, and Roger L. Davis, McGraw Hill, 2. Security in Computing, by Charles Pfleeger and Shari Pfleeger 3. Information Security: Principles and Practice, by Mark Stamp, Wiley- Interscience, Weekly Plan IS403: Advanced Information Security and Trust Page 11

12 Week: 1 Date: Topic: Cryptography Foundation Session 1 (Introduction, security principles and processes) Threat, vulnerability and attack Security services Confidentiality Integrity Authentication Availability Understanding of Randomness Chapter 2.1, 2.5, Appendix B Project: Project team formulation (4 person per team) Project assignment and requirement Study of information security technology and its applications Week: 2 Date: Topic: Cryptography Foundation Hash functions o One-way ness o Weak-collision resistance o Strong-collision resistance Application of hash functions Lab: collision of hash functions Chapter 20.1, 20.2 Project: Continue project (office hour) Week: 3 Date: Topic: Cryptography Foundation RSA Cryptosystem o Mathematical foundation of RSA encryption/signatures o OAEP and PSS padding The security implication of the order of public key encryption and digital signatures Symmetric key encryption Lab: security and key size Chapter 20.3, 19.1~5 Project: Project proposal due Week: 4 Date: Topic: Secure Communication Protocols Two party communication: key establishment, confidentiality and integrity protection Multiparty-party communication: Public key infrastructure IS403: Advanced Information Security and Trust Page 12

13 Chapter 22.3, 20.4 Assignment 1: Eavesdrop the network and do a protocol analysis Week: 5 Date: Topic: Authentication User Authentication Techniques Password Security Biometric Authentication Two factor authentication Single Signon Lab: bio authentication: password + keystroke Chapter 3 Project continue Week: 6 Date: Topic: Database Security Database Access Control Inference Control Statistical Database Chapter 5 Project continues Week: 7 Date: Topic: Software Security Virus Buffer overflow attack and its defense Handling program input Writing Safe Program Code Lab: Buffer overflow attack Chapter 7, 11.1, 11.2, 12.1~3 Project continues Week 8: Recess Week: 9 Date: Topic: Trusted Computing Trusted Computing Midterm IS403: Advanced Information Security and Trust Page 13

14 Chapter 10 Project continue Week: 10 Date: Topic: Security Development Lifecycle for IT (SDL-IT) 1 hour on SDL-IT 1 hour on Threat Modeling Lab: (1 hour) threat modeling lab Chapter 16.3 Project continues This lecture is led by Dr. Bradley Jensen from Microsoft. Week: 11 Date: Topic: Computer Forensics and Security Auditing 1 hour talk by Felix Lim from IRAS, How a CIT deal with Computer Forensics Computer Forensics and Security Auditing Lab: Windows Forensics Chapter 10 Project continues Some of the material is provided by Microsoft. Week 12: Debate Week 13: Project presentation Week 14: Project due IS403: Advanced Information Security and Trust Page 14