CSPP56510 – Information Technology Security

Winter Quarter 2008

Preliminary Syllabus

 

Course Objective

The objective of this course is to provide a basic understanding of Information Technology security – and to build an understanding of the elements that should be in place for an IT environment to achieve an adequate security level.  We will begin with a general overview of IT security and introduce a framework for addressing security needs across an enterprise.  Major security objectives and mechanisms for attaining these objectives will be discussed, including cryptography, authentication systems, Public Key Infrastructure, and platform and network security mechanisms.  This course will give an overview of the technical details involved in the platform and network levels of security.  We will look at common TCP/IP applications and discuss their security vulnerabilities.  The course material will be presented in a framework of understanding business risks and how to address them.

 

Students in this course will use the Unix operating system as a basis of learning host security mechanisms and should have a basic familiarity with Unix as a prerequisite.  Students should also be familiar with TCP/IP networks.  Students will be installing, configuring and running security tools obtained from the Internet as a part of their classwork.

 

Required Texts:                Security in Computing, Fourth Edition, Charles Pfleeger, 2006 Prentice Hall,  0-13-239077-9

Practical Unix & Internet Security, 3rd Edition, Simson Garfinkel, Alan Schwartz and Gene Spafford, 2003 O’Reillly & Associates, 0596003234, ISBN-13: 978-0596003234

 

Recommended:                Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition, William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin, 2003 Addison Wesley Professional.

                                          (Version 1 available online - http://www.wilyhacker.com/1e/ )

 

                                          Network Security: Private Communication in a Public World 2nd Edition, Charlie Kaufman, Radia Perlman, Mike Speciner, 2002 Prentice-Hall

 

                                          Security Engineering, Ross Anderson, 2001 Wiley

 

Much of the course reading material will be assigned from selected web sites.

 

 

SIC

Spafford

Other

Week 1

Instructor(s) Introduction

Course Objectives

 

Information Security Overview

  • Objectives of Information Security – confidentiality, integrity, availability

Information Security Framework

  • Control elements and layers
  • Describe above elements in terms of the ISF
  • Describe as "road map" to understanding security and this course

Risk – definition, Control - definition

Security Goals and Mechanisms

-          Authentication – Authorization

-          User IDs, passwords, groups, privileges, access rules

 

Chapter 1

http://www.informit.com/articles/article.aspx?p=680830

 

Chapters 1, 2

CERT Statistics 1988 - 2006

http://www.cert.org/stats/cert_stats.html

 

Merritt paper on Risk Management

http://csrc.nist.gov/nissc/1998/proceedings/paperE5.pdf

Security Breaches

http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP

 

 

 

Week  2

Encryption

*         Symmetric, Asymmetric

*         DES, 3-DES, RSA, AES

Uses of encryption – PGP

 

Chapter 2

Chapter 7

Anderson – Security Engineering

http://www.cl.cam.ac.uk/~rja14/Papers/SE-05.pdf

 

Schneier – Security Pitfalls in  Crypto

http://www.schneier.com/essay-028.html

 

 

Week 3 

Review – security mechanisms

 

Host Security – Linux

Authentication - /etc/passwd

Authorization - file permissions rwx

Umode

Groups - /etc/groups

Shadow passwords

File permissions - s, S, t

suid risks

Path variable risks

Critical files - /etc/hosts, /.rhosts, etc.

Change control – Tripwire

Logging

 

 

Chapter 3, 4

 

http://www.informit.com/articles/article.aspx?p=31782

 

Chapters 4, 5, 6,

Stack overflows explained

http://packetstormsecurity.org/docs/hack/smashstack.txt

 

Analysis of Buffer Overflow Attacks

http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html

 

Reliability of Unix and NT utilities

http://www.cs.wisc.edu/~bart/fuzz/fuzz.html

 

Improving the Security of Your Unix System

http://the.wiretapped.net/security/info/papers/security/improving-unix-security.pdf

 

 

Week 4

Security Program Development

            security policies

            security awareness programs

 

 

 

Chapter 8

Chapter 3

ebk2007.pdf

Week 5

 

Authentication Mechanisms

*         NIS, NIS+,

*         Kerberos

Single Sign-on products

 

PKI

 

 

 

 

Week 6

PKI

Network Security introduction – attacks, security services and mechanisms

Viruses and other Malware

Denial of Service Attacks,

Network assessment tools

 

 

Chapter 7

http://www.informit.com/articles/article.aspx?p=31782

 

Chapter 23, 24

Optional:

Chapter 11, Chapter 19

 

Firewalls and Internet Security 1st Edition – Chapter 9 Classes of Attacks

http://www.wilyhacker.com/1e/chap09.pdf

 

Week 7 – Application Security

Forensics – Rick Patterson

IP Security

Risks – sniffing, spoofing,

Security over Internet protocols

            /etc/services, /etc/inetd.conf, /etc/rc.d

*         telnet – rlogin – ssh - nfs

*         ftp – tftp

*         web

*         ssl

 

Chapter 12, 14, 15, 16

 

 

Week 8  -

 

Honeynets – Ryan Moore

 

Wrappers and Proxies

Firewalls

Secure Communication over Insecure Networks – VPNs

Wireless

IDS

 

 

 

 

Chapters 20, 21

Firewalls and Internet Security 1st Edition – Chapter 3 – Firewall Gateways

http://www.wilyhacker.com/1e/chap03.pdf

 

Week 9

 

Audit and Compliance

Regulatory Environment

 

 

 

Chapters 10, 11

 

 

Week 10

 

 

 

Week 11 - Final

 

 

 

 

 

Grading Policy

Homeworks                            30%

Final                                        30%

Final Project                           25%

Quizzes                                   15%

 

Homework

Homework will mainly consist of configuring, running and reporting on security tools, solving security implementation problems in writing plus one final project.  There will not be in-depth programming assignments – unless the student chooses a final project involving programming.