CS 52600 - Introduction to Information Security Fall 2017

Navigation

Description

This course is an introduction to the elements of information security and protection. It covers issues for systems and networks, including policy, design, operation, incident detection and response, and more.

Catalog description: Basic notions of confidentiality, integrity, availability; authentication models; protection models; security kernels; secure programming; audit; intrusion detection and response; operational security issues; physical security issues; personnel security; policy formation and enforcement; access controls; information flow; legal and social issues; identification and authentication in local and distributed systems; classification and trust modeling; and risk assessment. Typically offered Fall.

Credit

3 class hours, 3 credit hours

Prerequisites

CS 50300 -or- permission of instructor

Although not required, having had CS 35500, CS 55500, or equivalent be helpful.

Policies & Standards

All of my courses operate under the same general policies and standards . My students are expected to study and understand all of these policies. Potential students are encouraged to check these out before signing up for one of my classes.

Details

Class meetings

T Thr in HAAS G-066, 10:30am ‐ 11:45am

Midterm:

Tentatively scheduled for October 12, in class
No books or notes. NO electronic devices.

Final exam:

8am -- 10am, Friday December 15 in LWSN B155
Comprehrensive. No books or notes. NO electronic devices.

Instructor

Eugene H. Spafford (Spaf)

Some classes will be taught by other faculty when Spaf is out of town.

For office hours, telephone/email, etc., see Spaf's homepage .

TA

Kyriakos Ispoglou (ispo)

Office hours: M W 10am ‐ 2pm, or by appointment office: HAAS G-50
email: < kispoglo@purdue.edu >

Contacting Students

There will be a course email list used for high-priority announcements. This will use your registered @purdue.edu email address; make sure this is forwarded to an account you read on a regular basis.

Some announcements may be posted in Blackboard, so be sure to check that at least once each week.

This informational page will be updated over the course of the semester! Be sure to check it regularly.

Grades and Grading

Blackboard will be used to distribute assignments and collect your responses. Grades will only be available there.

The final grade in the class will be based on assignments, a midterm exam, a final paper, and a comprehensive final exam. Classroom and discussion participation may be used to adjust final grades. In-class quizzes may be given without advance notice.

The determination of final scores will be approximately 5% for homeworks, 25% for the term paper, 30% for the midterm, and 40% for the final exam.

I have adopted this 10 point scale for assignments, originally described by Professor Clifton for grading all non-test items:

10	Exceptional work. So good that it makes up for substandard work elsewhere in the course. These will be rare, and for many homeworks/problems a perfect score will correspond to an 8.
8	What I'd expect of a Ph.D. candidate or outstanding MS student. This corresponds to an A grade.
6	Average Master's degree student work, but not what I'd like to see for a Ph.D. candidate. This corresponds to a B grade.
4	Okay for a Master's candidate who does extremely well in other courses. This corresponds to a C grade.
2	Not good enough for a graduate student. But something.
0	Missing work, or so bad that you needn't have bothered.

Week-by-week topics

The following shows an approximate week-by-week list of topics and readings (readings will be fleshed out as the semester advances). The actual presentation of some of these topics may change, subject to availability of guest lecturers and additional resources.

† Normally, Wikipedia should not be relied upon as a definitive resource: many of its pages contain incomplete and incorrect information. Some of the pages are actually carefully crafted hoaxes . For this course, I will, however, list some Wikipedia entries for overview purposes because I have reviewed them (at the time of assignment) and found no glaring errors.
‡ You will need to access some of these readings via the Purdue online library ‐ you need to use the Purdue portal to get to them.
Week / Dates	Topics	Readings & Notes
1 / Aug 21	Class introduction & policies and overview of class. Basic definitions: risk, vulnerability, trust Basic cryptography	Text, pp. 1 ‐ 33 (Chapter 1), 647 ‐ 700 (Chapter 10) Reflections on Trust , Ken Thompson, 1984, CACM. ^‡ entry on Information Security in Wikipedia ^† IS0 27002 entry on Parkerian Hexad in Wikipedia ^† The Protection of Information in Computer Systems (especially part A) by J. H. Saltzer and M.D. Schroeder Threats and heuristics in enterprise risk management by Sam Liles (OPTIONAL) This World of Ours by James Mickens Text pp. 86 ‐ 127 (Chapter 2 Sections 3 & 4), 768 ‐ 812 (Chapter 12) Dunning-Kruger in Wikipedia ^† entry on pseudo-random number generators in Wikipedia ^† Introduction to Randomness at random.org (try the linked exercises ) (OPTIONAL) entry on Cryptography in Wikipedia ^† (OPTIONAL) Google 2-factor authentication
2 / Aug 28	Basics of Physical Security Basics of Personnel Security	entry on physical security ^† entry on TEMPEST ^† Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defenses^‡ by Steve H. Weingart YouTube video Watch hackers break into the US power grid (SKIM) U.S. Army Personnel Security manual set of linked pages at UK CPNI
3 / Sep 4	Authentication	Text pp. 36 ‐ 72, (Chapter 2 Section 1) USACM primer on Identity and Identification NIST Publication 800-63b entry on password strength in Wikipedia ^† entry on password cracking in Wikipedia ^† entry on one-time password in Wikipedia ^† entry on challenge-response in Wikipedia ^† entry on biometrics in Wikipedia^† Human chimeras story in Scientific American Inhibiting and Detecting Offline Password Cracking ^‡
4 / Sep 11	OS architecture & security	Text pp. 280 ‐ 339 (Chapter 5) Reference monitor trusted (trustworthy) systems ^† (follow links) trusted computing (TPM) ^† (follow links)
5 / Sep 18	Access control	Text pp. 72 ‐ 86 (Chapter 2 Section 2) Access Control: Principles and Practice, by Sandhu and Samarati entry on Filesystem permissions ^† Unix files and permissions More on Unix permissions Kerberos: An Authentication Service for Computer Networks An Introduction to Role Based Access Control
6 / Sep 25	Software security Flaws & testing	Text pp. 131 ‐ 166 (Chapter 3 Section 1) Text pp. 196 ‐ 229 (Chapter 3 Section 3) 13 Security Principles for 2013 An Empirical Study of the Reliability of Unix Utilities Fuzz Revisited Stack Guard: Simple Stack Smash Protection for GCC Article on stack smashing and canaries entry on Privilege Escalation ^† entry on Directory Traversal ^† entry on Stack buffer overflow ^† entry on Buffer overflow protection ^† entry on Format string attack ^† entry on Integer overflow ^† entry on Address Space Randomization ^† Microsoft Secure Design Lifecycle HackerOne list Social processes and proofs of theorems and programs by DeMillo, Lipton, and Perlis.^‡ (OPTIONAL) The BSIMM document (OPTIONAL) CVE (OPTIONAL) Implicit Buffer Overflow Protection Using Memory Segregation
7 / Oct 2	Network threats & attacks Network defenses	Text pp. 341 ‐ 432 (Chapter 6 Sections 1-5) ARP poisoning ^† (follow links) security issues with DNS session hijacking ^† (follow links) SYN flooding et al ^† (follow links in see also section) Text pp. 432 ‐ 474 (Chapter 6 Sections 6 & 7) Diffie-Hellman key exchange IP Protocol ^†
8 / Oct 9	Fall Break! Midterm
9 / Oct 16	Network security (firewalls, etc) Cloud security Intrusion detection	Text pp. 551 ‐ 584 (Chapter 8) Text pp. 474 ‐ 496 (Chapter 6 Sections 8-10) Computer Threat Monitoring and Surveillance by J. P. Anderson An Intrusion Detection Model by Dorothy Denning The March of IDES: Early History of Intrusion-Detection Expert Systems ^‡ by Jeffrey R. Yost Experiences with Tripwire by Kim and Spafford (note this was published in 1994)
10 / Oct 23	Malware and defenses	Text pp. 166 ‐ 196 (Chapter 3 Section 2) Wikipedia entry on Malware . ^† Look at the referenced pages for Trojan Horse, Virus, etc. note the publication date ‐ this is early history: Computer Viruses ‐ A Form of Artificial Life?" article on computer virus concealment and evasion The Internet Worm ^‡ Microsoft's page on ransomware . Wikipedia page on ransomware ^† an article on the number of computer viruses in 2013 and then in 2015 article on construction of botnets (OPTIONAL) Do some searches on YouTube -- there are many video examples and tutorials of the various web attacks, if you want to look for them.
11 / Oct 30	Web security issues	Text pp. 232 ‐ 278 (Chapter 4) entry on HTTP cookie in Wikipedia ^† all the pages about web cookies at this site . entry on Cross-site scripting in Wikipedia ^† entry on Cross-site request forgery in Wikipedia ^† Veracode's pages on XSS . Explore the OWASP site . There is no requirement to read anything specific other than the most recent Top 10 entry on Clickjacking in Wikipedia ^† entry on HTTPS ^† entry on DNSSEC ^† entry on Public key certificate ^† SQL injection ^† (OPTIONAL) Web Security, Privacy & Commerce, 2nd Edition (OPTIONAL) Do some searches on YouTube -- there are many video examples and tutorials of the various web attacks, if you want to look for them.
12 / Nov 6	Models, including multilevel security	trusted system concepts Bell LaPadula model ^† Clark-Wilson model ^† Biba model ^† The Birth and Death of the Orange Book ^‡ by Steve Lipner Considerations of defense in depth by Sam Liles
13 / Nov 13	Privacy Supply chain issues OPSEC	Text pp. 586 ‐ 644 (Chapter 9) Future biometric systems and privacy, chapter 6 in Privacy in America (visit Purdue library page, search for "aspray privacy biometrics", and click through the links to read online) The Balance of Privacy and Security Supply-Chain Risk Management entry on opsec^†
14 / Nov 20	Incident response Turkey response ‐ Thanksgiving!	(OPTIONAL) Cyber policy resources (read pp. 6--17, remainder OPTIONAL) A Step-By-Step Approach On How To Set Up A CSIRT An Evening with Berferd Stalking the Wily Hacker
15 / Nov 27	Law & ethics Certifications, economics	Text pp. 702 ‐ 765 (Chapter 11) Text of Title 18 Section 1030 Computer Fraud and Abuse Act Text pp. 813 ‐ 834 (Chapter 13 Sections 1 & 2)
16 / Dec 4	E-voting, Cyberwar Catch-up & review	Text pp. 834 ‐ 850 (Chapter 13 Sections 3 & 4) (OPTIONAL) pp. 501 ‐ 549 (Chapter 7) Mandiant Report: Exposing One of China's Cyber Espionage Units China's Army Unit Is Seen as Tied to Hacking Against U.S. Review the list of FIPS-800 and SP-1800 documents especially 800-160 Presentation on Security Maxims Top 10 Security Challenges for 2017 Tradeoffs in Cyber Security by Dan Geer
Finals / Dec 11	8am Dec 15, LWSN B-155

Readings

Referrence texts

Class Text

Charles P. Pfleeger , Shari Lawrence Pfleeger , and Jonathan Margulies: Security in Computing, 5/e Prentice Hall , 2007.

This book does not present items at the depth and rigor we'd normally like, but there are no books that provide the breadth we need for the course.

Other References

Matthew Bishop: Computer Security: Art and Science Addison-Wesley , 2003. ISBN 0-201-44099-7

I suggest you get the latest printing of the textbook; earlier printings had more typos. Also get the appropriate Errata pages .

I maintain a Tumblr blog i try to keep updated with current news about information security. You should monitor the blog and read the items I link in so as to get a sense of current security incidents. The blog is available at http://blog.spaf.us

Some students have found primary material in the research literature easier to understand than the (condensed) treatment in the textbook. The text contains extensive references (over 1000); you are encouraged to go to these for material with which you have difficulty.

Two recommended books for additional reference (or your bookshelf, if you intend to do more work in this area) are:

Ross Anderson: Security Engineering: A Guide to Building Dependable Distributed Systems , 2.e, Wiley, 2008.
Rolf Oppliger: Contemporary Cryptography , 2/e, Artech House, 2011

Other Information

Students are encouraged to attend the weekly security seminar or to view the podcasts online.

Other information, handouts, assignments, etc will all be on the class page in Blackboard and eventually linked in here.

Updated: 12/19/17

Maintained by E. H. Spafford