Reg Number T5505
Evenings 6:00 PM - 10:00 PM for 9 Wednesday nights
January 16 2008 to March 12, 2008 5273 Boelter Hall

Instructor:
  Vincent LeVeque
  Science Applications International Inc. (SAIC)
  vleveque@sbcglobal.net

REQUIRED READING:

• Lecture notes, available from Blackboard or through this Web site:
• Class 1 - Overview
• Class 2 - Security Administration
• Class 3 - Risk analysis and password authentication
• Class 4 - Advanced authentication and access controls
• Class 5 - Application and database security
• Class 6 - Event logs and hardware
• Class 7 - Standards compliance
• Class 8 - Formal models of security
• Class 9 - Network security
• Class 10 - Legal issues
• Class 11 - Cryptography

SUGGESTED ADDITIONAL READING MATERIAL (NICE TO GET BUT NOT REQUIRED):

• Official (ISC)2 Guide to the CISSP CBK by Harold F. Tipton (Editor), Kevin Henry (Editor), pub. ISC2 Press/Auerbach, ISBN 0849382319
• Secure Computing, Rita C. Summers, McGraw Hill, New York, 1997, ISBN 0-07-069419-2 Very good, was out of print but Amazon apparently can provide as a print-on-demand item
• Fundamentals of Computer Security Technology, Edward Amoroso, Prentice Hall, Englewood Cliffs, NJ, 1994, ISBN 0-13-108929-3 A rather formal, mathematical treatment

GRADING SYSTEM:

Two online or take-home exams (midterm and final) plus a short (2-5 page) original paper. Grade is based on the exam scores and paper grade.

• Physical Security
• Operational Security
• Disaster Recovery Planning

While this class does cover many of the items required for successful completion of the CISSP examination, it is not sufficient to do so. Additional preparation is strongly advised if you intend to sit for this exam.

Overview of systems and networks. Concepts of security. Types of risks faced by computer systems. Certifications, professional organizations, and further resources.

Professional Associations of Interest to Security Professionals

• Information System Security Association (ISSA)
• Information Systems Audit and Control Association (ISACA)
• Association of Certified Fraud Examiners (ACFE)
• Communications Fraud Control Association
• Computer Security Institute
• MIS Training Institute
• American Society for Industrial Security (ASIS)
• High Technology Crime Investigative Association
• ACM SIGSAC
• IEEE Technical Committee on Security and Privacy

Professional Certifications in Security and related field

• EC Certified Ethical Hacker
• Cisco CCSP (Cisco Certified Security Professional)
• SANS
• (ISC)2 -- Provides CISSP certification
• CSO Online article on the CISSP

Academic Programs in Information Security

• James Madison University - online MS in Computer Science
• RISSC at Mount SAC community college and Cal Poly Pomona
• UC Davis Security Lab
• USC Center for Computer Security

Periodicals and News Sites

• Security Focus
• Secure Computing monthly magazine
• Security Management Magazine (from ASIS)

Some good general references

• CERT main web page
• Internet Engineering Task Force
• Auditnet Resource list
• US government NIST security links

Management of security. Professional Ethics. Role of policies, procedures, and standards. Organization of the security function. Segregation of duties. Security awareness programs. Human resource considerations.

General Policy-Writing Resources

• The Site Security Handbook (IETF RFC 2196 - 1997 version)
• Explanation of "Separation of Duties" courtesy UC Santa Cruz

Security Awareness Resources

• Easyi - Creates "soup to nuts" security awareness programs
• VIsible Statement - Creates animated security awareness screen saver
• Security Awareness Incorporated
• Native Intelligence: Security awareness programs from a Native American perspective

Incident Response Teams

• AusCERT - How to set up an incident response team
• CIAC Department of Energy Incident Response Team
• CERT Coordination Center at Carnegie Mellon University
• FIRST - Forum for Incident Response and Security Teams

Risk analysis, determining risks and risk strategies. Safeguards and counter-measures. Risk analysis software overview.
Identification and access control. Factors of identification, technologies. Password policies

Risk Analysis Methodologies

• Risk Analysis Methodology, Powerpoint slides courtesy Katherine Morse of SAIC
• PhD dissertation on Internet security incidents (based on CERT records)
• Attack Trees paper by Bruce Schneier

The Numbers - Surveys, Statistics, and Anectdotes

• Computing Risks Newsgroup
• Dan Farmer's Security Survey
• The Internet Auditing Project - a massive scan of the entire Internet to find vulnerable systems. 1998-1999
• Do security incidents affect a company's stock price?
• Security breaches drive customers away - a UK article
• Information Security Breaches Survey 2006 by PWC
• Survey: Security efforts paying off, ZDNet June 2004

Password Authentication

• Interesting secure password generator
• Rainbow tables - a faster way to crack passwords

Time-based and cryptographic challenge response. Biometric authentication. Authentication servers and single signon.
Discretionary vs. Mandatory Access control. Access control implementations. ACLs and their implementation in various systems.

Authentication Devices

• Sample S/Key Calculator
• Vasco makes Digipass token authentication. Includes live demo
• CryptoCard challenge-response token authentication
• RSA SecurID time-based synchronous token authentication
• Biometric Consortium: Government Applications and Operations
• Bruce Schneier on the uses and abuses of biometrics
• Impact of Artificial Gummy Fingers on Fingerprint Systems
• SANS paper reviewing XyLoc proximity detector
• Federal Computing World - 2003 review of 2 proximity detectors

Technical Descriptions of More Complex Authentication Methods

• Kerberos FAQ
• Moron's Guide to Kerberos
• The TACACS Remote Access Protocol (IETF RFC 1492)
• RADIUS IETF RFC (IETF RFC 2138)
• RADIUS and TACACS+ Comparison (Cisco, so there is maybe some bias towards TACACS+)

Development, acquisition and maintenance of systems. Roles of controls and accountability. Configuration control. Testing and documentation standards. Formal methods. DBMS security issues.

Standards and Internal Control Issues

• How Sarbanes-Oxley Will Change the Audit Process
• A Survey of Application Security in Current International Standards
• Open Web Application Security Project (OWASP)

Software Engineering (doing things the right way)

• Navy Software Engineering documents
• NISTIR 4909: Software Quality Assurance document

Standards for Secure Code

• Source Code Review Guidelines (slightly outdated)
• Secure Programming for Linux and Unix HOWTO
• Linux Journal: Assessing the Security of Your Web Applications
• Sun Microsystems: Security Code Guidelines for C and Java
• Common Web Application Vunerabilities - Computerworld Feb 2005
• Secureprogramming.com - recipes for coding security and secure coding

Computer architecture and security, the security kernel approach, the Trusted Computing Base. Hardware protection. Examples of Intel x86 and Windows NT

Intrusion Detection - Using event logs to detect and track malicious activity

• Five Mistakes of Log Analysis - Computerworld Oct 2004
• Snort: The premier open source IDS (also for Windows)
• A good intro to intrusion detection
• Carnegie Melon IDS White Paper
• The Honeynet Project home page

Computer architecture and security

• Protection and Segmentation in Advanced X86 programming
• US Navy security models, kernel design and testing class (excellent!) Archived version from wayback machine
• Demonstration of covert timing channel
• Multics home page - early effort to build a secure mainframe-size computer

The Audit process. Types of auditor, compliance audit, certification & accreditation, general controls reviews, third party reviews (SAS 70). Integrity considerations in financial record keeping.

Compliance Auditing -- Government Certification and Accreditation

• Security Certification and Accreditation 101 A short informative review.

Compliance Auditing -- the Financial Audit Perspective

• FFIEC Bank Examination Handbook
• American Institute of Certified Public Accountants
• SAS 70 FAQ
• The SEC's release regarding Sarbanes-Oxley Section 404

Configuration Auditing - Is your security set up properly?

• The Admin's Guide to Cracking
• Open Source Security Testing Methodology Manual
• Doing security assessments of your business partners - InformationWeek March 2002

Formal Security Models - Bell Lapadula, Biba, Clark-Wilson. Department of Defense Orange book concepts, European ITSEC, the Common Criteria

• Not The Orange Book - informal and unauthorized guide to TCSEC
• Formal Models from the CISSP open study guide
• More formal models

Network Security and Firewalls. Threats and counter-measures specific for dial-up and Internet access. Types of Firewalls.

General Info

• World Wide Web Security FAQ
• CISCO SAFE blueprint for network security

Virtual LANs (VLANs) as a security tool

• Cisco VLAN Security White Paper
• VLAN attacks described

IPSec and other Virtual Private Network

• An Illustrated Guide to IPSec
• IPSec in the MS Windows environment

Voice Over IP security

• article - How Secure is Voice Over IP?
• Voice Over IP Security Alliance
• A tool for turning packet dumps of VoIP into wav files

Wireless LAN security

• Papers on WiFi Security from the SANS Reading Room
• Wireless LAN Security Guide by George Ou
• Six dumbest ways to secure a wireless LAN by George Ou

Legal and regulatory issues. Torts. Intellectual property. Statutes governing computer use and security. Principals of evidence gathering and investigation.

General Info

• Collection of Computer Law Links
• US DOJ - Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
• Computer Crime Laws by State
• US Department of Justice Computer Crime and Intellectual Property Section (CCIPS)
• Computer Records and Federal Rules of Evidence

Cryptography and electronic commerce. Principals of cryptography, public vs. private key systems, digital signatures.

Crypto Fundamentals

• MASSIVE list of crypto-related sites by Peter Gutmann (New Zealand)

Public key certificates

• How to obtain a public key certificate

Beware Bad Cryptography!

• Why Cryptography is Harder than it Looks - Bruce Schneier
• The Cryptography Snake Oil FAQ

Vendors

• RSA - the premier source of commercial cryptography
• BT Counterpane - Founded by Bruce Schneier