MSIT 458: Information Security and Assurance

Winter 2015

Yan Chen


I.  Course description:

The past decade has seen an explosion in the concern for the security of information. This course introduces students to the basic principles and practices of computer and information security.  Focus will be on the software, operating system and network security techniques with detailed analysis of real-world examples. Topics include cryptography, authentication, software and operating system security (e.g., buffer overflow), Internet vulnerability (DoS attacks, viruses/worms, botnets, etc.), intrusion detection systems, firewalls, VPN, Web and wireless network security. 

II. Required text and/or other materials:
III.  Reference text and/or other materials:
IV. Required prerequisites or knowledge base
V. Rationale for inclusion in MSIT Program:

This course provides students with an extensive understanding of information security management with emphasis on network security. Whereas other courses provide an overview of the basics of the discipline, information security is simultaneously a technical and managerial discipline with enterprise-wide implications for employees, operations and systems at every level. For organizations to successfully implement and manage an effective and efficient security program while managing shifting risks associated with interrelated information technology and decision-making employees, contractors, vendors, and suppliers must understand the concepts, technologies and practices of information security and be able to apply them effectively in their own distinctive areas of responsibility.

VI.
Course goal: VII. Course Objectives:
Upon successful completion of this course, the student should be able to:
VIII. Course topics/content (by week):
Date Topics/slides Readings Assignment
Jan 10
Course logistics and Cryptography [crypto.ppt] Stallings Chapters 2, 3 and 9, KPS Chapters 2, 3 and 5 project part 1 due on Jan 15.
Jan. 17 Cryto [cont'ed]
User authentication and authorization
(case study: Single Sign On (SSO) system and Kerberos) [authentication.ppt]
KPS Chapters 9 and 10,
Password Security: A Case History, Communications of ACM, vol.22 no.11, 1979.
A Survey of Botnet Technology and Defenses,  in the Proc. of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security.
Botnet paper summary and Homework 1 due on Jan 22.
We will do a lab for nmap next week.  Before that, you need to download nmap to you computer by following the instructions.
Jan. 24 Network/Vulnerability scanner (case study: nmap and nessus (installation demo)).

Malcode  [malcode.ppt]
Botnet Chronicles – A Journey to Infamy, Trend Micro white paper 2010.
Stallings Chapter 19 (Malware)
A Taxonomy of Computer Worms, N. Weaver, et al, the First ACM Workshop on Rapid Malcode (WORM), 2003.
Homework 2, due on Jan. 29. Project problem statement presentation slides due on Jan. 27.

Jan. 31 Botnets [botnet.ppt]
DoS Attacks [DoS.ppt]
Project problem statement presentation and feedback from each group (see the list below)
Detecting SYN Flooding Attacks, H. Wang, D. Zhang, and K. G. Shin, in Proc. of IEEE INFOCOM, 2002
Web Based Attacks, Symantec white paper, Feb. 2009.  (Podcast from Symantec).
Web security paper summary and Homework 3 due by Feb. 5.
Feb. 7 WWW Security and Defense [web.ppt].
Demo tutorial and SSH set up instructions if you would like to try the demo yourself.
Vulnerability Analysis of Web-Based Applications,  Chapter in ``Test and Analysis of Web Services", Springer, September 2007. [reference slides].
KPS Chapter 25 (Web security)
Homework 4 due on Feb. 12.
Feb.14 Intrusion Detection/Prevention Systems (case study: snort IDS) [IDS.ppt][snort.ppt]
Stallings Chapter 18 (IDS).
Wireless and Network Security Integration Solution Overview, Cisco Inc. Here are more detailed guidelines on the solutions (i.e., expanding the overview).
Homework 5  and wireless security paper summary due on Feb. 19.
Feb. 21 Firewalls [firewalls.ppt]
Wireless network security and techonology integration for compliance (case study: Cisco) [wirelessSec_cisco.pptx].
Handout from Chapter 9 of Firewalls and Internet Security: Repelling the Wily Hacker.
Stallings Chapter 20 and KPS Chapter 23 (firewalls)
Homework 6 due on Mar. 5
Project final solution slides due on Mar. 3.

Mar. 7 morning Final project solution presentations (see the list below).

Homework 7 due on Mar. 12.
Mar. 7 afternoon Invited talk on Security Policy by  Brandon Hoffman, CTO at Lumeta.
Review for the final.

Symantec Internet Security Threat Report
Mar. 14 Final Exam.
Invited talk on "Cyber Crime Past, Present and Future!" by Jibran Ilyas, Assistant Director at Stroz Friedberg.



The lecture notes have incorporated course materials developed by Dan Boneh (Stanford), Wenke Lee (Georgia Tech), David Lie (U Toronto), Aleph One, Vitaly Shmat (UT Austin), Martin Roesch (Sourcefire Inc.), and David Dittrich (University of Washington).

Week 4 (January 31)

Project problem statement presentation and feedback from each group

Week 9 (March 7)

Project final presentations from each group
X. Assignments
There will be several group-based homework assignments so that students can reflect on what they learn in each class and try to apply them. In the beginning of each class, we will discuss the homework as warm-up. 

In addition, students are expected to engage in technical paper reading, and writing summaries. These papers are carefully selected (with little math!) which can be understood with the basic information security and networking knowledge.   Each group is expected to briefly present their findings and takeaway of the papers.

Your summary should include at least:

Project: each group will work on a quarter-long project called Information Security in Real Business with the following steps.
Part 1: Understanding the security issues and requirements in your corporate/organization, using the four cornerstones of secure computing introduced in the class.  For each of the cornerstone, select one (or more) issue(s) and compare how that was handled in different corporates/institutes of each team member, and what remains to be done to fully satisfy the security requirements.  If you are uncomfortable talking about your employers security practices, you can anonymize the name or use a hypothetical case but reflects the real problems in industry.  The requirements do not (and probably should not) to be restricted to the technical ones, but can be related to legal, business, social, or anything to do with information security.   In the submission, please also give suggestions on the current syllabus, e.g., important topics which are currently missing, interesting extra teaching materials that you are aware of, etc. I will try to make adjustment based on the suggestions. The suggestion part is optional. It will not affect your grade if you don't have any.

Given there are increasing number of full time students who do not have employers, it is a group assignment now.  But each group needs to submit two case studies for two different companies.  In each case study, you are expected to analyze the four cornerstones.   The report should be in Word or pdf.
The format should be something as follows:

Company 1: general introduction

Security analysis: (write a paragraph for each of the points below)
1.    Confidentiality:
2.    Authenticity:
3.    Integrity:
4.    Availability:

Issues identified:

Company 2: general introduction

Security analysis: (write a paragraph for each of the points below)
1.    Confidentiality:
2.    Authenticity:
3.    Integrity:
4.    Availability:

Issues identified:

Part 2:  From the (at least) four issues, pick the most interesting one to your group and the one which should not been very well solved (or the one being solved, i.e., an ongoing project) in your corporates/organizations.  Formulate a security problem and do some research on the related work. Please show why this problem is a general one that comes across multiple industry/education/government sectors. Each group is expected to give a presentation (5-10 minutes) to seek synergy and early feedback from other students and the instructor in week 5.

Part 3:  Then please analyze the pros and cons on the existing work, and propose a solution to the problem you formulated, by either adopting existing solutions, or propose something new. Please be specific on how you will implement or have implemented the solutions (down to the product level), the cost/risk analysis, feasibility analysis, business/legal consequence, how this solution will fit different corporate context, like industry, education, government, etc. Each group is expected to give a final project presentation towards the end of the quarter.  The presentation is expected to be 20 minutes plus 3 minutes Q&A. But we can have Q&A mingled w/ the presentation, i.e., each team has 23 minutes, including the switch time.

Note: all homework are due by the 11:59pm of Thu. night.  Email only presentations to me and email all other homework (project part 1, paper summary and homework) to msit458@gmail.com.

XI. Grading criteria

XII.Instructor profile

Yan Chen is an Professor in the Department of Electrical Engineering and Computer Science at Northwestern University. He got his Ph.D. in Computer Science from the University of California at Berkeley in 2003. He has over ten years of experience in network security, network and distributed system measurement and diagnosis. He won the Department of Energy (DOE) Early CAREER award in 2005, the DoD (Air Force of Scientific Research) Young Investigator Award in 2007, and the Microsoft Trustworthy Computing Awards in 2004 and 2005 with his colleagues. His research is also sponsored by National Science Foundation (NSF), Motorola, NEC, and Huawei. In addition to the industry sponsors, he has widely collaborated with industry researchers from Microsoft, AT&T, Motorola, Yahoo, Keynote, and the Internet Storm Center of the SANS (SysAdmin, Audit, Network, Security) Institute. According to Google Scholar, his papers have been cited for more than 7,000 times. He has also offered security consulting services to several companies.  Recently, he was invited to serve in the Illinois Governor Pat Quinn’s Internet Privacy Task Force.  The taskforce will examine what the state can do to prepare and protect Illinois’ industry and infrastructure from cyberattacks.  This committee is led by Jake Braun, former Director of White House and Public Liaison for the Department of Homeland Security, with other high-profile members such as CIOs from Motorola Mobility, Boeing, and the Northern Trust Company.

He started several security courses at Northwestern University, including the EECS 350 Introduction to Computer Security, EECS 354 Network Penetration and Security, and EECS 450 Internet Security. He was awarded as a Searle Junior Fellow by the Searle Center for Teaching Excellence of Northwestern University in 2004.