CS 52600 - Introduction to Information Security Spring 2017



Link to Blackboard Learn login page


Description

This course is an introduction to the elements of information security and protection. It covers issues for systems and networks, including policy, design, operation, incident detection and response, and more.

Catalog description: Basic notions of confidentiality, integrity, availability; authentication models; protection models; security kernels; secure programming; audit; intrusion detection and response; operational security issues; physical security issues; personnel security; policy formation and enforcement; access controls; information flow; legal and social issues; identification and authentication in local and distributed systems; classification and trust modeling; and risk assessment. Typically offered Fall.

Credit

3 class hours, 3 credit hours

Prerequisites

CS 50300 -or- permission of instructor
If you have not had CS50300 but still want to take the course, consult this discussion of the prerequisite.

Policies & Standards

All of my courses operate under the same general policies and standards. My students are expected to study and understand all of these policies. Potential students are encouraged to check these out before signing up for one of my classes.

Details

Class meetings

T Thr in Lawson B-134

Midterm:

Tentatively scheduled for February 28, in class
No books or notes. NO electronic devices.

Final exam:

TBD, during finals week
Comprehrensive. No books or notes. NO electronic devices.

Instructor

Eugene H. Spafford (Spaf)

Some classes will be taught by other faculty when Spaf is out of town.

Marlene Walls, Spaf's assistant, can help with scheduling, delivery of messages, etc.

For office hours, telephone/email, etc., see Spaf's homepage.

TA

Varshali Kumar

Office hours: Thu 2-4pm, Fri 9-11am
office: HAAS G-50
email: <kumar261@purdue.edu>

Contacting Students

There will be a course email list used for high-priority announcements. This will use your registered @purdue.edu email address; make sure this is forwarded to an account you read on a regular basis.

Some announcements may be posted in Blackboard, so be sure to check that at least once each week.

This informational page will be updated over the course of the semester! Be sure to check it regularly.

Grades and Grading

Blackboard will be used to distribute assignments and collect your responses. Grades will only be available there.

The final grade in the class will be based on assignments, a midterm exam and a comprehensive final exam. Classroom and discussion participation may be used to adjust final grades. In-class quizzes may be given without advance notice.

The determination of final scores will be approximately 5% for quizzes, 25% for assignments, 30% for the midterm, and 40% for the final exam.

I have adopted this 10 point scale for assignments, originally described by Professor Clifton for grading all non-test items:

10 Exceptional work. So good that it makes up for substandard work elsewhere in the course. These will be rare, and for many homeworks/problems a perfect score will correspond to an 8.
8 What I'd expect of a Ph.D. candidate or outstanding MS student. This corresponds to an A grade.
6 Average Master's degree student work, but not what I'd like to see for a Ph.D. candidate. This corresponds to a B grade.
4 Okay for a Master's candidate who does extremely well in other courses. This corresponds to a C grade.
2 Not good enough for a graduate student. But something.
0 Missing work, or so bad that you needn't have bothered.

Qualifier exam

If you plan on taking this as a qualifier exam, you will be given additional information later in the semester about when it will be given and its format.

Week-by-week topics

The following shows an approximate week-by-week list of topics and readings (readings will be fleshed out as the semester advances). The actual presentation of some of these topics may change, subject to availability of guest lecturers and additional resources.

† Normally, Wikipedia should not be relied upon as a definitive resource: many of its pages contain incomplete and incorrect information. Some of the pages are actually carefully crafted hoaxes. For this course, I will, however, list some Wikipedia entries for overview purposes because I have reviewed them (at the time of assignment) and found no glaring errors.
‡ You will need to access some of these readings via the Purdue online library -- Purdue has a subscription to the ACM Digital Library, but you need to use the Purdue portal to get to them.
Week / Dates Topic Readings & Notes
1 / Jan 10-12 Class introduction & policies and overview of class.
Basic definitions, risk, vulnerability, intractability, basic cryptography
2 / Jan 17-19 Cryptography basics continued: block ciphers, hash functions, MACs, stream ciphers, asymmetric ciphers
Basic Authentication
3 / Jan 24-26 Continuation of authentication basics
User authentication: passwords, password cracking, biometrics
4 / Jan 31-Feb 2 Access control
Security models: Bell-LaPadula, Lattice
5 / Feb 7-9 Physical security
Intrusion response, IDS, integrity monitoring, reputation systems
6 / Feb 14-16 Web vulnerabilities
7 / Feb 21-23 Malware (viruses, worms, botnets, et al)
8 / Feb 28-Mar 2 Midterm
OS security basic issues & design, file systems, OS design continued: memory monitor, access control
Trusted Systems; rings & segments, state transitions
9 / Mar 7-9 Secure Software design and assurance methodologies: lifecycle, design, testing
Week of March 13 Spring Break!
10 / Mar 21-23 Classic software vulnerabilities: buffer overflow, conversion failure, privilege escalation, TDTU errors
Secure operation: pen testing, logging
Intrusion detection/prevention
11 / Mar 28-30
Legal issues
12 / Apr 4-6 Classification models
Personnel: espionage, training, certification
13 / Apr 11-13 TBD
14 / Apr 18-20 Network issues
Basic Web & net security: cookies, cross-site scripting, SQL injection, end-to-end encryption
15 / Apr 25-27 Risk
Grab-bag topics: Legal issues, cyberwar, CERT teams, supply chain issues, ethics, law enforcement
15 / Week of May 1 Final exam, TBD. Comprehensive, closed book, closed notes, no elecronics.All readings & lecture notes.

Readings

Referrence texts

Matthew Bishop
Computer Security: Art and Science Addison-Wesley, 2003. ISBN 0-201-44099-7

I suggest you get the latest printing of the textbook; earlier printings had more typos. Also get the appropriate Errata pages.

Another suggestion is the text sometimes used for the undergraduate course (CS426):

Charles P. Pfleeger, Shari Lawrence Pfleeger, and Jonathan Margulies
Security in Computing, 5/e Prentice Hall, 2007.

You may find this book easier to read, however it does not provide all of the the mathematics and additional material needed for a graduate level course. Earlier editions may be easier to find and contain much of the same material.

Two recommended books for additional reference (or your bookshelf, if you intend to do more work in this area) are:

Ross Anderson
Security Engineering: A Guide to Building Dependable Distributed Systems, 2.e, Wiley, 2008.
Rolf Oppliger
Contemporary Cryptography, 2/e, Artech House, 2011

Other Readings

Readings will be added to the above table as the semester progresses. However, as this is a graduate class, students should be seeking out readings on their own to augment the material presented in the lectures. This is especially critical for students planning to take quals in this subject.

I have a (somewhat outdated) list of general recommended readings for my security courses. This will be augmented with other suggestions and recommendations over time.

Other Information

Students are encouraged to attend the weekly security seminar or to view the podcasts online.

Students are also encouraged to register for and attend the CERIAS symposium on April 18 and 19 of this year.

Other information, handouts, etc will all be on the class page in Blackboard and eventually linked in here.