CSC 474/574 Information Systems Security

Syllabus

1.    Instructor:

Dr. Peng Ning,

Office: Room 250 Venture III (in Suite 243), Centennial Campus

Phone: (919) 513-4457

Email: ning (at) csc.ncsu.edu

URL: http://www.csc.ncsu.edu/faculty/ning

Office hours: Tuesdays and Thursdays, 3:00 pm – 4:00 pm

2.    Course Objectives:

Students will be able to :

1.     State the basic concepts in information security, including security policies, security models, and various security mechanisms.

2.     Explain the basic number theory required for cryptographic applications as well as various cryptographic systems.

3.     Manually compute using Fermat's theorem, Euler's theorem, Euclid's algorithm, extended Euclid's algorithm.

4.     Manually encrypt/decrypt and sign/verify signatures for small messages using RSA, Diffie-Hellman, and DSA algorithms.

5.     State the requirements and mechanisms for identification and authentication.

6.     Explain and compare the various access control policies and models as well as the assurance of these models.

7.     State the characteristics of typical security architectures, including multi-level security systems.

8.     State the criteria of evaluating secure information systems, including evaluation of secure operating systems and secure network systems.

9.     List the database security issues and solutions, including models, architectures, and mechanisms for database security.

10.  List network and distributed systems security issues and solutions, including authentication, key distribution, firewalls, and network security protocols.

11.  State program security issues, including virus, worm, and logical bombs.

12.  State the basic concepts and general techniques in security auditing and intrusion detection.

13.  State the issues related to administration security, physical security, and program security.

14.  Determine appropriate mechanisms for protecting information systems ranging from operating systems, to database management systems, and to applications.

3.    Textbooks:

• Matt Bishop. Computer Security: Art and Science. Addison-Wesley, 2003. ISBN: 0-201-44099-7.
• Handouts (All handouts are accessible on-line)

1. Sandhu, R.S. Lattice-based access control models, IEEE Computer, 26(11): 9 –19, Nov. 1993. 
2. Sandhu, R.S.; Coyne, E.J.; Feinstein, H.L.; Youman, C.E. Role-based access control models, IEEE Computer, 29(2): 38 –47, Feb. 1996.
3. Brewer, D.F.C.; Nash, M.J. The Chinese Wall Security Policy, In Proceedings of IEEE Symposium on Security and Privacy, pages 206-214, 1989.
4. E. Bertino, P. Samarati, and S. Jajodia, An extended authorization model for relational databases, IEEE Trans. on Knowledge and Data Engineering, 9(1):85-101, 1997.
5. N. R. Adam and J. C. Wortmann. Security-control methods for statistical databases: A com- parative study. ACM Computing Surveys, 21(4): 515–556, December 1989.
6. B. Mukherjee, L.T. Heberlein, and K.N. Levitt. Network Intrusion Detection, IEEE Network, 8(3): 26-41, May 1994.
7. RSA Data Security Inc., RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Version 4.1, 2000. Accessible at http://www.rsasecurity.com/rsalabs/faq/index.html.
8. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography. CRC Press. ISBN: 0-8493-8523-7.

4.    Course Organization and Scope:

(Assume each lecture takes 75 minutes. The following topics need 30 lectures (or 15 weeks).)

1. Basic Security Concepts (1 lectures)

• Confidentiality, integrity, availability
• Security policies, security mechanisms, assurance

2. Cryptography and Its Applications (5 lectures)

• Basic number theory
• Secret key cryptosystems
• Public key cryptosystems
• Hash function
• Key Management

3. Identification and Authentication (2 lectures)

• Basic concepts of identification and authentication
• Password authentication

4. Access Control (5 lectures)

• Basic concepts of access control
• Discretionary access control and mandatory access control
• Lattice-based Models
• Covert Channels
• Noninterference Models
• Chinese Wall Security Policy
• Role based Access Control
• Mid-term Review: topics 1 - 4 (1 lecture)

5. Assurance and Evaluation of Secure Information Systems (2 lectures)

• TCSEC, TNI, CC, etc.

6. Introduction to Database Security (1 lectures)

• Security requirements in databases
• Access control and authorization in databases.
• Inference control

7. Network and Distributed Systems Security (5 lectures)

• Issues in Network and Distributed Systems Security
• Introduction to IPSEC, SSL, ISAKMP/Oakley, etc.
• Introduction to Firewall, Virtual Private Network, Secure Email, etc.

8. Program Security (Virus and other malicious software) (2 lectures)
• Malicious logics
• Developing secure software
9. Auditing and Intrusion Detection (3 lecture)
10. Administrating Security (2 lectures)

• Risk Analysis.
• Security Planning.
• Organizational Security Policies

11. Physical Security and Beyond (1 lecture)

• Physical security, TEMPEST, legal and ethical issues in security, environmental issues, etc.

5.    Schedule of Reading Assignments:

If not specifically identified, the following chapters refer to those in the first textbook. We refer to the second textbook as Abrams et al.

 

·       Topic 1: Chapter 1.

·       Topic 2: Chapters 2.4.1 – 2.4.4 in handout 8; Chapters 9, 10 and 11.

·       Topic 3: Chapter 12; Chapters 2.2.2 and 2.2.5 in handout 7.

·       Topic 4: Chapters 2 – 7; handouts 1 – 3.

·       Topic 5: Chapters 18, 19, and 21.

·       Topic 6: Handouts 4 and 5.

·       Topic 7: Chapters 11.4, 26, and 27.

·       Topic 8: Chapters 22 and 29.

·       Topic 9: Chapters 24 and 25; Handout 6.

·       Topic 10: Chapters 23.

·       Topic 11: TBD.

6.    Schedule of homework due dates, quizzes and exams:

There are 5 homework assignments and 2 exams. Quizzes are given in the form of pop quizzes. Pop quizzes are adopted to encourage the students to study during the non-exam weeks. The results of pop quizzes are not counted in the final grade.

• Homework 1: topics 1 and 2, due by week 5
• Homework 2: topic 3, due by week 7
• Homework 3: topic 4, due by week 9
• Homework 4: topics 5 – 7, due by week 11
• Homework 5: topics 8 – 10, due by week 13
• Mid-term exam: week 8
• Research project report: due by week 15
• Final exam: decided by the university.

7.    Grading:

• CSC 474: Assignments 20%, midterm 40%, final 40%.
• CSC 574: Assignments 15%, project 15%, midterm 35%, final 35%.
• The final grades are computed according to the following rules:

o               A+: >= 95%

o               A: >= 90% and < 95%

o               A-: >= 85% and < 90%

o               B+: >= 80% and < 85%

o               B: >= 75% and < 80%

o               B-: >= 70% and < 75%

o               C+: >= 66% and < 70%

o               C: >= 63% and < 66%

o               C-: >= 60% and < 63%

o               D+: >= 56% and < 60%

o               D: >= 53% and < 56%

o               D-: >= 50% and < 53%

o               F: < 50%.

8.    Policies on late assignments:

Homework and project deadlines will be hard. Late homework will be accepted with a 10% reduction in grade for each class period they are late by. However, once a homework assignment is discussed in class, submissions will no longer be accepted. All assignments must be turned in before the start of class on the due date.

9.    Policies on absences (excused and unexcused) and scheduling makeup work:

The university policy on absences will be enforced. See the university policy at the following URL.

http://www.ncsu.edu/provost/academic_regulations/attend/reg.htm

• The students are responsible for discussing makeup exams if they miss exams due to excused absence. The instructor will choose a mutually agreed date and time for the makeup exam.
• Late submission of homework assignments due to excused absences is not subject to the policies on late assignments.

10.         Course prerequisites:

CSC 401, CSC 440.

11.         Academic integrity:

The university, college, and department policies against academic dishonesty will be strictly enforced. You may obtain copies of the NCSU Code of Student Conduct from the Office of Student Conduct, or from the following URL.

http://www.fis.ncsu.edu/ncsulegal/41.03-codeof.htm.

12.         NC State policy on working with students with disabilities:

“Reasonable accommodations will be made for students with verifiable disabilities. In order to take advantage of available accommodations, students must register with Disability Service for Students at 1900 Student Health Center, Campus Box 7509, 515-7653.

http://www.ncsu.edu/provost/offices/affirm_action/dss/

For more information on NC State’s policy on working with students with disabilities, please see

http://www.ncsu.edu/provost/hat/current/appendix/appen_k.html.

13.         Laboratory Safety or Risk Assumption: Not Applicable.

14.         “Pass-through” Charges: Not applicable.