CSE 4471: Information Security M/W/F 12:40-13:35 (13:50-14:45) at PO 0150 (PO 0260) $Id: fall2019.t2t, v1.0, last updated %%mtime(%c) Exp $ %! Target: %! Options: --toc --css-sugar --encoding=iso-8859-1 %! Style: tech.css %! PreProc: %! PostProc: --------------------------------------------------------------------------- === Course Objective === There is a lot more to the concept and practice of information security than just hackers and technology. In fact, this course is three parts business mixed with one part of computer science. As cryptographer Bruce Schneier puts it: ``If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.'' Upon course completion, students are expected to: - Possess a high-level understanding of how information security functions within an organization. - Understand the fundamentals of information security governance, as well as related legal and regulatory issues; - Understand basic external and internal information security threats to an organization; - Be familiar with the structure and objective of security policies, standards and guidelines; - Be familiar with the topic of information security awareness, and have a clear understanding of its importance; - Be familiar with how threats to an organization are discovered, analyzed, and dealt with. - Possess a clear understanding of Mr. Schneier's above quote. - Have experience with formal presentations and teamwork. - And, have an introductory technical familiarization with fundamental security principles, mechanisms, techniques, and tools === Text Books === - "Principles of Information Security," Sixth Edition, Whitman and Mattord, CENGAGE Learning - Notes: past students have successfully used the Fourth Edition, with the proviso that page, chapter and exercise numbers do not always correspond. If you choose to use an alternate edition, please be aware that it is your responsibility to ensure that you are reading the correct material and completing the correct corresponding assigned exercises. - Additional Readings will be made available in class and/or via Carmen. --------------------------------------------------------------------------- === Course Topics === - Introduction - Course Overview, and Logistics - Security Model and the Complextiy of Security - The Arts and Science - Threats, vulnerabilities - Attacks, exploits - Non Technical Aspect: Ethics, Policy, Laws; Human weaknesses - Ethics, Law - Risk Management - Security Policy - Human Weaknesses - Technical Fundation in Information Security: Access Control, Cryptography - Physical Access Control - Cyber Access Control Models - Authentication - Authorization - Cryptography and Common Cipher - Cryptographic Algorithms - Asymetric Cryptography - Cryptographic Tool - Protocol Security - Technical Design: Principles, Techniques, Tools - Security design principles - Operating systems security - Software security - Hardware security - Network security - Firewalls - Virtual private networks (VPNs) - Intrusion Detection Systems (IDS) - Intrusion Prevention Systems (IPS) - Cyber Deception (e.g., honeypot) - Reconnaissance, Penntest - Anonymity network TOR - Vulnerability analysis - Reverse enginering - Exploit hardening - Implementation, Deployment, and Maintainence - Implementatin of information security - Digital forensics For Lecture notes, please check out on [CARMEN https://carmen.osu.edu] === Office Hours === - Instructor: M/W 3:00PM - 4:00PM (or by appointment). Office DL 787 - TA (Mr. Xin Jin, jin.967@buckeyemail.osu.edu): Wednesday 3-5PM at Baker 439 === Grading === Your grade will be based on a composite score computed according to the following breakdown: || Item | Percentage | | Homework | 10 | | Quizes | 10 | | Security project | 20 | | Project presentation | 10 | | Midterm | 15 | | Final Exam | 25 | | Participation | 10 | - **Homework** will cover or review current topics from the readings and lectures. - There will be one **in-class quizz" for each section of the material. - **Security presentations** are 10-minute in-class presentations to be completed by teams of at least 2 students (each must share a portion of the actual presentation). Topics are of the students' choosing and may be anything security related. This assignment includes preparation of a 1-page summary hand-out, as well as a powerpoint presentation. Peer review of classmates' presentations is a graded component, and contributes 40% of your project grade. - **Security projects** are group assignments (approx. 5 students per team) which entail the implementation of a security-related project of each team's choosing. There are two project alternatives. - The **Midterm exam** is a 55-minute in-class exam covering all course content to date. - The **Final Exam** is a 100-minute comprehensive exam. - **Participation** includes the peer review process for both the security presentations and projects as well as in-class quizes. Exemplary attendance and active discussion also contribute to your participation score. Failure to adhere to class policies may deduct from your participation score. - **Extra Credit**: Selected in-class and out-of-class exercises will be available for extra credit points, which are added to the total homework points earned. Consistent and helpful participation in Piazza may also earn extra credit. All quizzes and exams are closed book, closed notes. The midterm and final exam will be comprehensive. === Exams === The midterm will be held during a regularly scheduled course lecture meeting time, thus there should be no scheduling conflicts. Your attendance is required on the day of the midterm exam. The midterm may not be taken early and may not be made up. The final will be a combined-section exam at the date and time provided in the ``important dates'' section above. In order to make alternative arrangements for you, if you have a conflict (or a potential conflict) with the common exam time you are required to report this to your instructor no later than the last day of the first calendar month of classes. Three or more exams on the same calendar day is considered an ``exam conflict,'' and you may take the exam at the alternative time. Exams are due at the end of the examination period as announced by the instructor. Continuing to work on your exam after the examination period has ended may result in your work being considered late and a reduction in your score, up to and including receiving a score of 0 for the exam. In the event of an unavoidable unanticipated absence from an exam, the student is required to notify the instructor as soon as possible. No electronic devices, including cell phones, are permitted on your person during exams. === Homework and Presentations === Homework assignments, course announcements, optional readings and other course material will be provided via Carmen. ==== Course Project ==== Students will work in project groups of (approx.) five persons. Please treat all project dates and times as deadlines. Plan accordingly. Late submissions will not be accepted. - Project Teams - Each member of a project team will have unique strengths and weaknesses. - Effective teams find useful and productive ways to utilize each project member. - Effective teamwork and team co-ordination (project management) is a graded part of the project assignment. - The ethical or unethical behavior of any teammate reflects on the behavior of all members of the team. - It should not be expected that all team members will necessarily receive the same grade on a given assignment. - As part of the peer-review process for each project, each team member will provide a written self-assessment of their project group. - There are two project alternatives: - **Security application**: This option may take the form of a desktop application, a server-side application, a sockets-based communication program, a mobile device application or other software project which relates to security or has a security focus. Top scoring projects will include a substantial original component (1500+ lines of C/C++/java/python), and will be demonstrated successfully during a final group presentation. This option also includes a short (4 - 6 page) summary report documenting the project and its security relevance and impact. - **Security plan**: This option involves selecting a publicly-traded corporation and applying the concepts learned in this class to create a security plan for that company. This option also includes implementation of a small software component (300 to 500 lines of C/C++/java/python) which is integrated into the security plan. The primary deliverable is a 12 - 30 page summary security plan which includes a plan methodology and the results of applying that methodology to the specific needs and circumstances of the selected corporation. All projects include a 20-minute, peer-reviewed, in-class powerpoint presentation. Peer review scores contribute 40% to the project score. Both teamwork and individual participation are important graded project components. Projects will be graded according to the following scale and expectations: || Project grade | 100-scale | requirements | | 5 | 100 | professional quality, correct, documented code, well-substantiated conclusions, thoughtful and neatly completed (.pdf, word, etc.), correctly submitted, sound presentation | | 4 | 93 | essentially correct in all aspects, lacking in quality of arguments, presentation or submission | | 3 | 85 | contains one or two minor errors or omissions of key concept | | 2 | 75 | contains a significant or multiple minor errors or omissions | | 1 | 60 | lacking multiple significant components | | 0 | 0 | work not submitted | === Course Logistics === === Attendance Policy === Generally, attendance is not required. But, class participation in the form of quizzes and in-class exercises are components of your final grade. In particular, asttendance is required on presentation days when you will be providing written peer reviews of your classmates' works. === Late Policy === All late submissions will automatically lose 10 points per delayed day until the points in that homework/project are gone. Quiz is performed online in the class. Please bring a laptop/tablet/smartphone for in-class quiz. ==== Academic Integrity ==== It is expected in this course that students are familiar with the academic integrity guidelines of The Ohio State University as defined by the Office of Academic Affairs. Please refer to https://oaa.osu.edu/academic-integrity-and-misconduct. It is expected that students will only turn in work that is their own, or the work of a team to which they have been assigned for a given specific assignment. - It is expected that students will neither seek nor receive any form of aid, other than from the instructor or proctor, during any exam or quiz. - In the event that there occurs reasonable doubt about the integrity of any student's work, then that student and said work will be referred to the Committee on Academic Misconduct for adjudication. ==== Your Final Grade ==== Your final letter grade will be based on the following scale. || Scale | Letter | | 93+ | A | | 90 - <93 | A- | | 87 - <90 | B+ | | 83 - <87 | B | | 80 - <83 | B- | | 77 - <80 | C+ | | 73 - <77 | C | | 70 - <73 | C- | | 65 - <70 | D+ | | 60 - <65 | D | | <60 | E | ==== Acknowledgement ==== This syllabus is adopted from prior instructors including [Dr. Jeffrey Jones http://web.cse.ohio-state.edu/~jones.5374/] and [Dr. Dong Xuan http://web.cse.ohio-state.edu/~xuan.3/]. %!include: ''new.js'' --------------------------------------------------------------------------- [HOME index.html] [SOURCE %%infile]