MGMT 4250 Sec 001 – Information Security Management

Fall 2017

Instructor
Dave Eargle (contact)
Class
Tue/Thu 12:30PM - 1:45PM
KOBL 302
Office Hours
Location: S450J
Hours: Tuesday 2-3pm, Thursday 3-4pm
Or, by appointment

Course Information

Course Description

This course is a broad introduction to the managerial issues of information security. Because security is multifaceted, the topics of the class range widely, including technical (e.g., cryptography), managerial (e.g., policy compliance), physical (e.g., door locks), and psychological (e.g., social engineering) issues. A key objective of the class is to develop a security mindset, in which one learns to think like an attacker for ways to exploit a system.

Learning Outcomes

Develop working knowledge of methods of protecting data
To gain a working knowledge of modern methods of protecting data: encryption, hashing, confidentiality, authentication, integrity, non-repudiation, certificates, and IP security.
Gain familiarity with attack vectors
To become familiar with attack vectors that are commonly executed in attempting to access and compromise or steal data
Learn methods of attack prevention and detection
To learn modern methods of attack prevention and detection: antivirus, firewalls, intrusion detection, and system hardening
Learn methods of threat modeling
To learn state-of-the-art methods of threat modeling.
Develop a security mindset
This goal will help you think like a security professional—how to identify threats like an attacker, and how to mitigate those threats.
Appreciate the broad disiciplines required for IS security
This class will help you appreciate the broad disiciplines required for information security to work. We’ll cover subjects as diverse as cryptology, physical security, psychology, and management.

Technology Requirements

Materials

Certification Option

As an option, students seeking certification may replace the final exam by passing the Security+ certification or another certification approved by the instructor. You can substitute your score on the certification (plus an adjustment—5% for the Security+) for the final. For example, if you received an 85% on the Security+ exam you would receive a 90% for your final exam score.

To receive credit for the certification, a student must show evidence of having taken the certification exam by the last day of class. If a student doesn’t show the instructor evidence of passing the certification by this date, then he/she will be required to take the final exam.

Grading

Item Points
Quizzes 125
Labs 200
Midterm project 200
Threat assessment project 125
Participation 50
Security Films 50
Final Exam 250
Total 1000
Extra Credit Value
Security Movie for Extra Credit Replace 1 quiz
Security Book for Extra Credit Replace 1 lab

Classroom Policies

Participation Policy

Contribution will account for 5% of your final grade. Most students will earn 80% of these points. Students who are exceptional and go above and beyond in enhancing the classroom experience may receive a higher score.

The following list is not comprehensive, but rather an example of items weighted in the contribution category:

Team work

In this class, you will work in teams. As a result, review a short report on team effectiveness and establish a team agreement (sample agreement). Give the instructor a copy of your team agreement by the end of the second week of classes.

Freeloader policy

It occasionally happens in class and enterprise settings that someone in a group is not prepared to do his/her share. In the case of my classes, I recommend that the team give the freeloader one warning and then fire that person from the team. That person will then do group assignments individually or find another team to join. The team should notify me of the change in team composition immediately. I distribute a form to assess team participation at the end of the semester. If a major disparity in team contribution is reported, I will adjust team project grades.

Classroom Procedures

Students are welcome to use laptops in class for note taking and completing class exercises, exclusively.

Late Work

All assignments and projects are to be submitted on time or early, so plan accordingly. If you have to miss class please submit your assignment early. On VERY rare occasions, an exception may be granted, allowing the student to submit the work late with a 20% penalty. Under no circumstances will anything be accepted more than a week late.

Assignments

Labs

Labs are hands-on learning activities that will be begun in class and completed outside of class. Labs are typically due one week after they are introduced in class.

Midterm vulnerability assessment project

This is a group project. The midterm will be a vulnerability and penetration assessment report of a server. The report will be written for an upper management audience. Teams of students will be given an IP address of a server to assess for security weaknesses. The midterm report will be due two weeks later.

Current event threat assessment

This is a group project. Teams will choose a recent security breach incident and report on it as if it just occurred. The report will summarize the incident and give recommendations for how to manage the threat. The report will also include a risk assessment of other potential threats the chosen organization faces, along with recommendations for mitigating each identified threat. Deliverables include a written report and a presentation.

Readings Quizzes

Most readings and videos on the schedule have associated quizzes. Quizzes are open book, open Internet and must be completed within 20 minutes. Quizzes are administered on D2L.

Quizzes are due before class at noon on the date due.

Security Films

Two films are required viewing for this course: “Zeros Days” and “Citizenfour.” You can watch these films with the class on the announced screening days, or on your own. To receive credit, complete one security films report quiz for each film. Simply indicate that you watched the whole film and give your brief reaction to the film.

Extra Credit

You can replace your lowest quiz score by watching a third security film from the Security Readings and Films list submitting a few sentences about what you thought about it.

Similarly, you can replace your lowest lab score by reading a security book from the Security Readings and Films list and submitting a few sentences about what you thought about it.

Team evaluation

This form should be submitted before the final exam.

Schedule

Date Topic Activities
Before Class In-Class Due by 11:59pm
Tue, Aug 29 Introduction

[“In-class survey”]

Thu, Aug 31 Threat Modeling Readings Due before class
  • Quiz: Threat Modeling
Assigned Today
Tue, Sep 05 Cryptography – Introduction Assigned Today
  • Install Windows lab VM if necessary
  • Submit screenshot of Cryptool 2.0 running on your computer
Thu, Sep 07 Cryptography – Hashes & Symmetric Readings Due before class
  • Quiz: Anderson, Ch. 5, pp. 129-149
  • Submit screenshot of Cryptool 2.0 running on your computer
Assigned Today
  • Lab: Threat Modeling
Tue, Sep 12 Cryptography – Asymmetric Assigned Today
Wed, Sep 13
  • Email your PGP public key to Dr. Eargle (see Lab – Asymmetric)
Thu, Sep 14 Cryptography – Digital Certificates and PKI Readings Assigned Today
  • Lab: Symmetric Encryption and Hashing
Tue, Sep 19 Codes Video
  • Lab: Asymmetric Encryption
Thu, Sep 21 Physical Security Readings Due before class
  • Quiz: Anderson, Chapter 11
Assigned Today
  • Lab: Digital Certificates
Tue, Sep 26 Introduction to Computer Networking Readings
Thu, Sep 28 Introduction to Linux (in-class lab)

See this page for the material

  • Lab: Physical Security
Tue, Oct 03 Vulnerability Scanning Assigned Today
Thu, Oct 05 Vulnerability Exploitation Assigned Today
Tue, Oct 10 System Hardening Assigned Today
  • Lab: Vulnerability Scanning
Thu, Oct 12 Authentication and Passwords Readings Due before class
  • Quiz: Anderson Ch. 2, pp. 31-39, 56-58
Tue, Oct 17 Password Cracking Readings Due before class
  • Quiz: Goodin, "Why passwords have never been weaker"
Assigned Today
  • Lab: Exploitation
  • Lab: Hardening
Thu, Oct 19 Midterm Prep
Tue, Oct 24 Midterm – no class Assigned Today
  • Lab: Password Cracking
Thu, Oct 26 Midterm – no class
  • “no class today; work on midterm”
Tue, Oct 31 Web application security – SQL Injection Readings Due before class
  • Quiz: Clarke, Chapter 1
  • “Lab – SQL Injection (in-class only)”
Thu, Nov 02 Web application security – XSS Readings Due before class
  • Quiz: Stuttard and Pinto, Attacking Users: Cross-site Scripting, pages 431–451
  • “Lab – XSS (In-class only)”
  • Midterm due
Fri, Nov 03 Film "Zero Days" screening
Tue, Nov 07 Guest Speaker -- WebRoot, Dave Dufour, VP of Engineering
Thu, Nov 09 Network Security Monitoring Readings Due before class
  • Quiz: Bejtlich, Chapter 1
Assigned Today
Tue, Nov 14 Human Element Readings Due before class
  • Quiz: Schneier, "The Security Mirage"; Anderson, Chapter 2, pp. 17-30, 40-42; Honan, "Cosmo"
Assigned Today
Thu, Nov 16 Information Privacy Readings Due before class
  • Quiz: "The collapse of the US-EU Safe Harbor: Solving the new privacy Rubik's Cube"
  • Form 2-3 person teams (or you can work on your own) for the threat assessment project. Mark your teams and claim your topics here (even if you’re working on your own)
Assigned Today
  • Lab: Network Security Monitoring
Fri, Nov 17
  • choose your teams and your topics for the threat assessment project (use the spreadsheet linked on 16 November 2017)
Tue, Nov 21 Fall Break
Thu, Nov 23 Fall Break
Tue, Nov 28 Information Security in Organizations
  • Lab: Privacy and Anonymity
Thu, Nov 30 Security and Society
Tue, Dec 05 Presentations; USENIX Enigma talks Due before class
  • Threat assessment deliverables (document and presentation submitted to D2L) due by 9:00 am
Thu, Dec 07 No class
Tue, Dec 12 No class
Thu, Dec 14 Course wrap-up; FCQ administration Due before class
  • By 9am today, submit topics from the semester you would like to discuss in preparation for the exam here
  • Lab: Social Engineering (Extra credit)
  • "Citizenfour" report
  • "Zero Days" report
  • Book extra credit report
  • Movie extra credit report
Mon, Dec 18 Final exam Due before class



Relevant University Offices, Policies, and Procedures

Student Classroom and Course-Related Behavior

Disability Services. Please note that English as a second language is not a recognized disability and no extra exam time, nor any special conditions (e.g., use of a dictionary) can be provided to any student. This is a School policy, not left to the discretion of the professor.

Honor Code

Religious Holidays

Discrimination and Harassment

Final Examination Policy (should you have 3 exams on the date of our final exam)