Syllabus: AIT 673 (Online) - Cyber Incident Handling/Response



Similar documents
Syllabus: AIT Information Systems Infrastructure Lifecycle Management

Syllabus: AIT Information Systems Infrastructure Lifecycle Management

PUAD 502 Administration in Public and Non-Profit Organizations Term Offered Fall, 2015 Syllabus

Course Syllabus CJ W Intro. to Homeland Security, Internet based Spring 2016

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline

Lakeland Christian Academy Online Course Handbook

STUDENT HANDBOOK Trent Online

Minimum Computer System Requirements

HAP 750 Legal Issues in Health Administration Summer 2014

Sage Grant Management System Requirements

CISM Fundamentals of Computer Applications

1. COURSE DESCRIPTION

School of Nursing Graduate Program Frequently Asked Questions for Prospective DNP Students. 1. What is the Doctor of Nursing Practice (DNP) program?

SPRING 2015 EDSE 501 6S1: Introduction to Special Education CRN: 20941, 3 - Credits

ECON-2105, Principles of Macroeconomics, 1rst Half Term, Spring/2016

Fall Syllabus. College of Health and Human Services. HAP 700: Introduction to Health Informatics. Course information

CISS 365 DEA Project Management

To ensure you have the appropriate equipment and settings please review the following: Software and Hardware Recommendations.

MCS5813 Cryptography Spring and select CRN 3850

IT 342 Operating Systems Fundamentals Fall 2014 Syllabus

Course: MTH 595AZ - Algebra and Middle School Mathematics Curriculum Development with TI-Nspire Technology Course credit: 3 (3-0) Term:

ONLINE COURSES: GETTING STARTED GUIDE

4ECE 320 Signals and Systems II Department of Electrical and Computer Engineering George Mason University Fall, 2015

Introduction to Psychology Psych 100 Online Syllabus Fall 2014

CISS 365 A Project Management

Collin College Business and Computer Systems

Course Name (e.g., Introduction to Human Resource Development) Course Code and Section Number (e.g, HRDV 2301 D01) Semester (e.g.

CMPS 109 Presentation Software

CIS 296 Computer Forensics Proposed Start: Spring Instructor's Name: Office Location: Office Hours: Office Phone:

Syllabus: ECE 401 History and Foundations of Early Childhood Education Fall 2013

MGT495W: Human Resource Management Spring 2013

IT 106 Introduction to IT Problem Solving Using Computer Programming revised

PREREQUISITES Completion or concurrent enrollment in all other required general education courses, GOVT 300, and 18 credits in the major.

MGSC 290 Computer Information Systems in Business SYLLABUS Spring 2008

EDAD 641 School District Instructional Leadership: Curriculum COURSE SYLLABUS: Fall 2013

etroy Abnormal Psychology 3304 TERM 1, 2015

How To Use Blackboard Collaborate Web Conferencing On A Computer Or Phone (For Students)

Teleworking Technology Guide and Checklist. UW Information Technology. November 2012

PELLISSIPPI STATE COMMUNITY COLLEGE MASTER SYLLABUS WEB DESIGN III: ADVANCED SITE DESIGN WEB 2812

PSY 201 General Psychology Online Fall credits

Video conferencing with its multiple simultaneous video chats demands a good deal from your computer. The following platforms are required:

GB 401 Business Ethics COURSE SYLLABUS: Fall Week Online Syllabus Ms. Jessica Robin COURSE OVERVIEW

NURS 529 Nursing Informatics

Texas A&M University Texarkana Abnormal Psychology Psy. 316 Fall 2015

TCOM 562 Network Security Fundamentals

WBIT Human Computer Interaction. Course Syllabus

EDAD 647 COURSE Syllabus

Collin College Business and Computer Systems

IT 101 Introduction to Information Technology

EQSC 240/L INTRODUCTION TO EQUINE SCIENCE

TECH 4101 HUMAN RESOURCES FOR ADMINISTRATIVE AND TECHNOLOGY MANAGERS (R1 section) Course Syllabus Fall 2015

College of Business and Technology Department of Accounting EMBA 540: Accounting for the Executive August 26 November 3, 2013 COURSE SYLLABUS

Advanced Digital Forensics ITP 475 (4 Units)

COLLIN COLLEGE COURSE SYLLABUS

PELLISSIPPI STATE TECHNICAL COMMUNITY COLLEGE MASTER SYLLABUS CIW JAVASCRIPT FUNDAMENTALS WEB 2300

GIT 335 COMPUTER SYSTEMS TECHNOLOGY Course Syllabus Fall 2008 Professor Penny Ann Dolin

College of Health and Human Services. Fall Syllabus

HIT Computer Applications in Health Information Systems 3 Credit Hours

How To Pass A Network Security Course Online At Sp College

INTRODUCTION TO WELLNESS (PHED 101) Messiah Online Summer 2012

Recommended Syllabus First Year Experience Seminar FYEX 100-Section # Day/Time of Course

NURS W Nursing Informatics (MSN Program) Texas A&M University Texarkana Fall 2012

Sociology 1010 Online Course Syllabus Spring 2013

Student & Parent Handbook

NURS 1050 Medical Terminology. Course Description

WHITE MOUNTAINS COMMUNITY COLLEGE 2020 Riverside Drive, Berlin, NH COURSE SYLLABUS. Introduction to Psychology.

Common Syllabus Revised

MySciLEARN System Requirements. For educators and providers using the Fast ForWord and Reading Assistant programs

MGMT 360 (Hybrid) Organizational Theory

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

ip (HAMG Hospitality 2305) Online Prerequisit completed totally online. 9 th ed. F6.4, F12.4) interviews In research, the A.

HHPS W Administration in Sport and Recreation Programs (Online) Fall, 2015

PSYC 414 COGNITIVE PSYCHOLOGY

MySciLEARN System Requirements. For educators and providers using the Fast ForWord and Reading Assistant programs

Troy Online. Course Syllabus. BUS4474 Business and Society Term

EDU Fall 2010 Course Syllabus Instructional Design for Online Learning Instructor: Faculty Bio button Contact Policy:

School of Arts and Humanities PSYC610 Course Title: Multicultural Perspectives in Human Behavior. 3 Graduate Credit Hours 8 Weeks Prerequisites: None

CS 464/564 Networked Systems Security SYLLABUS

Course Syllabus Revised: Dec. 20, 2011.

INFORMATION SECURITY TRAINING CATALOG (2015)

Texas A&M University Texarkana Advanced Personality Psychology Psy. 546 Fall 2015

Math Online Calculus I Course Syllabus

PSYCHOLOGY 101 ONLINE. Course Information and Syllabus Summer 2014

College of Health and Human Services. Spring Syllabus

THE UNIVERSITY OF TEXAS AT BROWNSVILLE College of Education Syllabus

Extended Learning Department

BADM323: Information Systems for Business Professionals SU2016 Online Course

WRITTEN TESTIMONY OF

Texas A&M University-Commerce MKT E: Selling and Sales Management

Seattle Central Community College BITCA Division. Syllabus MIC Online

Education & Training Plan. Green Interior Design Specialist Certificate Program

Diagnostic Coding OST 148 OL1 Fall Semester 2015 Class hours: Online

Transcription:

Syllabus: AIT 673 (Online) - Cyber Incident Handling/Response Term: Spring 2015 Instructor: Jay Holcomb, Adjunct Faculty, Department of Applied Information Technology, Volgenau School of Engineering GMU Website: http://mason.gmu.edu/~jholcom9/ E- mail: jholcom9@gmu.edu Course: AIT 673 (Online) -- Cyber Incident Handling/Response Examines Computer Emergency Response Team (CERT), including Incident Response, Vulnerability Assessment, Incident Analysis, Malcode Analysis, Forensics and Investigations. Includes exercises in CERT operations and a final Incident Handling project. Credits: 3 Day/Time: Online Where: Via Blackboard Textbook (Required): Jason Luttgens, Matthew Pepe, and Kevin Mandia, Incident Response & Computer Forensics, Third Edition, McGraw-Hill Education; 3rd Edition (August 8, 2014). ISBN: 978-0071798686 (http://www.amazon.com/incident-response-computer-forensics-edition/dp/0071798684/) Also available on Safari Tech Books Online, part of the E-Book Databases@Mason. (http://proquest.safaribooksonline.com.mutex.gmu.edu/book/networking/incident-response/9780071798686?bookview=overview) Other Resources: Paper readings and Internet resources posted on Blackboard -- AIT 673 Course Course Goals: 2. Increase knowledge on potential defenses and counter measures against common threat vectors/vulnerabilities. Version 1.0 Page 1 of 13 Spring 2015

Course Expectations: 1. Working online requires dedication and organization. Proper preparation is expected every week. You are expected to log in to the course each week and complete the assignments and activities on or before the due dates. 2. Students must check their GMU email messages on a daily basis for course announcements, which may include reminders, revisions, and updates. 3. It is expected that you will familiarize yourself with and adhere to the Honor Code. (http://oai.gmu.edu/the-mason-honor-code-2/) Student members of the George Mason University community pledge not to cheat, plagiarize, steal, and/or lie in matters related to academic work. 4. It is essential to communicate any questions or problems to me promptly. Online Learning Community: This online course is taught via Blackboard Courses (Log into http://mymason.gmu.edu, select the Courses Tab, and the course can be found in the Course List). This course is offered entirely online. Each week begins one on Monday and ends on Sunday. There are two (2) LIVE sessions during our term: 1. Week 6 -- review of a virtual demonstration of tools we have been discussing using Blackboard Collaborate. You must be at a computer with a microphone in order to participate in this LIVE session 2. Week 14 -- for the formal presentation of your team projects using Blackboard Collaborate. You must be at a computer with a microphone in order to present your team project brief during the LIVE session. In our online learning community, we must be respectful of one another. Please be aware that innocent remarks can be easily misconstrued. Sarcasm and humor can be easily taken out of context. When communicating, please be positive and diplomatic. I encourage you to learn more about Netiquette. (http://networketiquette.net/index.html) Version 1.0 Page 2 of 13 Spring 2015

Technology Requirements: The technology requirements for this online course are listed below: Hardware: You will need access to a Windows or Macintosh computer with at least 2 GB of RAM and a fast, reliable broadband Internet connection (e.g., cable, DSL). For optimum visibility of course material, the recommended computer monitor and laptop screen size is 13-inches or larger. You will need computer speakers or headphones to listen to recorded content. A headset microphone is recommended for live audio sessions using course tools like Blackboard Collaborate. For the amount of computer hard disk space required to take an online course, consider and allow for the space needed to: Software: o Install the required and recommended software o Save your course assignments Web browser (See Blackboard Support [http://coursessupport.gmu.edu/students/] for supported web browsers) Blackboard Courses (Log into http://mymason.gmu.edu, select the Courses Tab) Blackboard Collaborate (select from the course menu) Adobe Acrobat Reader (free download http://get.adobe.com/reader/) Flash Player (free download http://get.adobe.com/flashplayer/) Microsoft Office (purchase http://compstore.gmu.edu/products/microsoft/) For hardware and software purchases, visit Patriot Computers. (http://compstore.gmu.edu) Note: If you are using an employer-provided computer or corporate office for class attendance, please verify with your systems administrators that you will be able to install the necessary applications and that system or corporate firewalls do not block access to any sites or media types. Version 1.0 Page 3 of 13 Spring 2015

Grading policy: Grades will be determined based on the following: Grade Component Weight Current Cyber Event Paper #1 5% Current Cyber Event Paper #2 5% Team Paper -- Case Study #2 10% Quiz 10% Discussion Topic Participation (6 at 5% each) 30% Team Project and Online Presentation 30% Online Participation 10% Total: 100% The grading scale for this course is: Numeric Grade Letter Grade 97 100% A+ 93 96% A 90 92% A- 87 89% B+ 83 86% B 80 82% B- 77 79% C+ 73 76% C 70 72% C- 60 69% D 0 59% F Version 1.0 Page 4 of 13 Spring 2015

Current Cyber Event Papers (2 @ 5% each = 10%): Select a recent cyber event - research the event using open source references - then write an executive-level technical brief on the event. Include the following as a minimum: threat vector used, vulnerability attacked, incident response actions taken, your recommended mitigations, business impact of this event. The length of this paper should be one page - maximum of two pages. (One page is a single side of paper) On a separate page include your open source references - minimum of two (2) unique sources are required. Quiz (10%): A 25 question open-book multiple-choice quiz covering the key terms/topics discussed during the first seven (7) weeks of the course. Team Paper - - Case Study #2 (10%): (Five teams of 5 people each) Using Case Study #2 (Chapter 1, page 15) build a high-level remediation plan outline and answer four (4) incident response remediation questions. Discussion Topic Participation (6 at 5% each = 30%): Six (6) interactive discussion weeks which require student engagement throughout the week supporting incident response specific objectives. Active participation throughout the week is required for successful completion and to ensure maximum learning objectives are achieved. Each discussion topic has been carefully selected, and crafted, to support the cyber incident response topic. Student opinions and Internet researched support materials are strongly encouraged. Team Project and Presentation (30%): (Five teams of 5 people each) Incident response team -- select a fictitious critical infrastructure sector company and create a senior executive (CISO/CIO) level report, with accompanying executive briefing, highlighting why your company needs an internal CIRT/CERT team or why it should outsource the CIRT/CERT capability. At a minimum cover what will happen when your company is hit with malicious software, or a breach, describing a potential Company incident in great detail. Include how your recommended CIRT/CERT team will approach/engage, processes they will use, tools (software and hardware) that you expect them to have/use, timing and potential business impacts, estimated incident costs (to include potential CIRT/CERT team set-up and team O&M), team skills needed with estimated costs, and the [critical] reporting processes. The length of the report should be less than 25 pages. (One page is a single side of paper) On a separate attachment include your open source references. Your team will submit your report and give an online LIVE presentation during our final session. Again, the team presentation will be an online LIVE presentation to the entire class. Class Participation (10%): Active participation and engagement in the online environment throughout the course including weekly discussions, team papers, and team projects. Version 1.0 Page 5 of 13 Spring 2015

Course Schedule: Preparation/Discovery Section Week 1: Introduction to Incident Response and Handling -- CIRT/CERT Overview Objective: Develop an understanding of the purpose of a Computer Emergency Response Team (CERT), why an organization needs a CERT, composition of a CERT team, and the incident response life cycle. 2. Increase knowledge on potential defenses and counter measures against common threat vectors/vulnerabilities. Read: NIST Special Publication 800-100 (October 2006), Chapter 13 Read: Incident Response & Computer Forensics, Third Edition, McGraw-Hill Education; 3rd Edition (August 8, 2014), Chapter 2, Review: Handbook for Computer Security Incident Response Teams (CSIRTs), CMU/SEI 2 nd Edition (April 2003), Pages 9 42 Week 1 Assignment: Online Class Introductions see Week 1 Weekly Module in Blackboard Discussion Topic #1 see Week 1 Weekly Module in Blackboard Week 2: Incident Response Team and Case Study #1 Objective: Analyze the pre-incident preparation required by an incident response team and the organization. Identify key areas of the organization, incident response team, and corporate infrastructure needed to develop for a successful incident response capability. 2. Increase knowledge on potential defenses and counter measures against common threat vectors/vulnerabilities. Read: Incident Response & Computer Forensics, Third Edition, McGraw-Hill Education; 3rd Edition (August 8, 2014), Chapter 3, and Case Study #1 Review: NIST Special Publication 800-61 Revision 2 (August 2012), Chapter 2 Week 2 Assignment: Discussion Topic #2 see Week 2 Weekly Module in Blackboard Version 1.0 Page 6 of 13 Spring 2015

Preparation/Discovery Section cont d Week 3: Networking Security Monitoring and Indicators/Leads Objective: Identify the types of networking monitoring an organization may implement and explain the benefits for implementing network monitoring within an organization. Define the value of a lead/indicator to an incident response team and follow-on value to the larger organization. 2. Increase knowledge on potential defenses and counter measures against common threat vectors/vulnerabilities. Read: Incident Response & Computer Forensics, Third Edition, McGraw-Hill Education; 3rd Edition (August 8, 2014), Chapter 5 and Chapter 9 Read: Mandiant, APT1 Exposing One of China s Cyber Espionage Units -- see Week 3 Weekly Module in Blackboard Week 3 Assignment: Discussion Topic #3 see Week 3 Weekly Module in Blackboard Week 4: Initial Incident Detection/Facts Objective: Explain why initial facts in a potential incident are critical and how checklists can help provide objectivity to a potential incident detection. Identify three checklists that could assist the incident response team with objectivity regarding a potential incident detection. Read: Incident Response & Computer Forensics, Third Edition, McGraw-Hill Education; 3rd Edition (August 8, 2014), Chapter 4 Read: FireEye -- APT28: A WINDOW INTO RUSSIA S CYBER ESPIONAGE OPERATIONS? -- see Week 4 Weekly Module in Blackboard Read: NIST Special Publication 800-61 Rev 2 (August 2012), Chapter 3: pages 21-34 Week 4 Assignment: Current Cyber Event Paper #1 see Week 4 Weekly Module in Blackboard Version 1.0 Page 7 of 13 Spring 2015

Data Collection/Analysis Section/Remediation Week 5: Enterprise Services and Case Study #2 Objective: Identify at least five (5) enterprise network services that most organizations implement. Explain the functions and benefits of these network services to an organization and their importance to an incident response team. 2. Increase knowledge on potential defenses and counter measures against common threat vectors/vulnerabilities. 3rd Edition (August 8, 2014), Chapter 10 and Case Study #2 Review Incident Response & Computer Forensics, Third Edition, McGraw-Hill Education; 3rd Edition (August 8, 2014), Chapter 18 Review: The Internet Assigned Numbers Authority (IANA) web site (https://www.iana.org) and associated resources available on this web site. Week 5 Assignment: Team Online Discussion -- Case Study #2 and continued work on Final Project see Week 5 Weekly Module in Blackboard Week 6: Forensic Duplication and Hashing Objective: Identify the three primary types of forensic images an incident response team may create and differences between the three. Explain the process used to create a forensic duplication. Describe what hashing is, why is important, and what benefits it provides to the incident response team. 3rd Edition (August 8, 2014), Chapter 8 and Chapter 15 (pages 474 and 475) Week 6 Assignment: Online LIVE #1 Session - review a virtual demonstration of cyber forensic tools we have been discussing see Week 6 Weekly Module in Blackboard Version 1.0 Page 8 of 13 Spring 2015

Data Collection/Analysis Section/Remediation cont d Week 7: Report Writing and Remediation Objective: Explain why reporting writing is one of the most important functions of an incident response team. Identify and analyze the eight (8) high-level steps which make-up the incident response remediation process. 3rd Edition (August 8, 2014), Chapter 16 and Chapter 17 Review Incident Response & Computer Forensics, Third Edition, McGraw-Hill Education; 3rd Edition (August 8, 2014), Chapter 18 Week 7 Assignment: Team Paper -- Case Study #2 see Week 7 Weekly Module in Blackboard Week 8: Live Data Collection Objective: Explain the primary purpose for live data collection. Identify at least five (5) best practices for establishing a good process regarding live data collection. Compare and contrast memory collection on Microsoft Windows and Unix/Linux based systems. 3rd Edition (August 8, 2014), Chapter 7 Week 8 Assignment: Quiz see Week 8 Weekly Module in Blackboard Version 1.0 Page 9 of 13 Spring 2015

Analysis cont d / Post Incident Section Week 9: Analysis Methodology Objective: Recommend a repeatable process to follow when preparing to gather and analyze incident response related data. 3rd Edition (August 8, 2014), Chapter 11 Week 9 Assignment: Current Cyber Event Paper #2 see Week 9 Weekly Module in Blackboard Week 10: Investigating Applications (like Web Browsers/E-mail) Objective: Explain the value of potential forensic evidence stored within user and server applications. Describe what application data is and where it is stored. Analyze web browser user data and the potential value of this data. 3rd Edition (August 8, 2014), Chapter 14 Week 10 Assignment: Discussion Topic #4 see Week 10 Weekly Module in Blackboard Version 1.0 Page 10 of 13 Spring 2015

Analysis cont d / Post Incident Section cont d Week 11: Investigating Windows Systems Objective: Identify the potential sources of incident response data on a Microsoft Windows operating system. Explain the purpose and potential evidence that may be found in the following areas; NTFS/File System, Prefetch, Event logs, Scheduled tasks, and the Windows registry. 3rd Edition (August 8, 2014), Chapter 12 Week 11 Assignment: Work on Team Project and Presentation use this week to wrap-up your team project documentation and begin work on your group presentation. See Week 11 Weekly Module in Blackboard Week 12: Investigating Mac OS X Systems Objective: Identify the potential sources of incident response data on an Apple MC OS X operating system. Explain the purpose and potential evidence that may be found in the following areas; HFS+ file system, core operating system, Spotlight data, System and application logs, and Application and system configurations. 3rd Edition (August 8, 2014), Chapter 13 Week 12 Assignment: Discussion Topic #5 see Week 12 Weekly Module in Blackboard Version 1.0 Page 11 of 13 Spring 2015

Analysis cont d / Post Incident Section cont d Week 13: Malware Triage Objective: Identify at least three (3) steps to decrease the infection opportunity while analyzing malware in a virtual environment and at least five (5) configuration/process changes that can decrease the infection opportunity. Explain Static malware analysis and why it can be useful to an incident response team. Explain Dynamic malware analysis and why it can be useful to an incident response team. 2. Increase knowledge on potential defenses and counter measures against common threat vectors/vulnerabilities. 3rd Edition (August 8, 2014), Chapter 15 Week 13 Assignment: Discussion Topic #6 see Week 13 Weekly Module in Blackboard Team Project Delivery/Presentation Week 14 Assignment: Online LIVE #2 Session Team Presentation -- see Week 14 Weekly Module in Blackboard Version 1.0 Page 12 of 13 Spring 2015

Honor Code: All work performed in this course will be subject to the GMU s Honor Code. (http://oai.gmu.edu/themason-honor-code-2/) Any violation will be reported to the honor committee. Academic Integrity: GMU is an Honor Code university; please see the Office for Academic Integrity (http://academicintegrity.gmu.edu/honorcode/) for a full description of the code and the honor committee process. The principle of academic integrity is taken very seriously and violations are treated gravely. What does academic integrity mean in this course? Essentially this: when you are responsible for a task, you will perform that task. When you rely on someone else s work in an aspect of the performance of that task, you will give full credit in the proper, accepted form. Another aspect of academic integrity is the free play of ideas. Vigorous discussion and debate are encouraged in this course, with the firm expectation that all aspects of the class will be conducted with civility and respect for differing ideas, perspectives, and traditions. When in doubt (of any kind) please ask for guidance and clarification. Office of Disability Services: If you are a student with a disability and you need academic accommodations, please notify me and contact the Office for Disability Services [http://cte.gmu.edu/teaching/disability%20services ] (ODS) at 993-2474, http://ods.gmu.edu. All academic accommodations must be arranged through the ODS. Mason e- mail Accounts: Students must use their MasonLIVE email account to receive important University information, including messages related to this class. See http://masonlive.gmu.edu for more information. Other Useful Campus Resources: Writing Center: A114 Robinson Hall; (703) 993-1200; http://writingcenter.gmu.edu University Libraries Ask a Librarian : http://library.gmu.edu/mudge/im/imref.html Counseling And Psychological Services (CAPS): (703) 993-2380; http://caps.gmu.edu University Policies: The University Catalog, http://catalog.gmu.edu, is the central resource for university policies affecting student, faculty, and staff conduct in university academic affairs. Other policies are available at http://universitypolicy.gmu.edu/. All members of the university community are responsible for knowing and following established policies. Version 1.0 Page 13 of 13 Spring 2015

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information