COSC 352
Information Assurance
Spring 2002
4:15 - 5:30 Tuesday, Thursday
Reiss 112

Instructor: Clay Shields
Email:clay at cs dot georgetown dot edu
Phone: (202) 687-2004
Office: Reiss 222
Mailbox: Reiss 240
Office Hours: Wednesday, 2 -4, and by appointment

Description:

This course is intended to introduce students to means of assuring the confidentiality, integrity, and availability of information through mechanisms of technology, policy, and education. Topics will include: access control; authentication; security policies and enforcement; security design principles; malicious logic; vulnerability analysis; intrusion detection and response; audit; risk assessment; personnel and physical security; and legal, ethical, and social issues.

Prerequisites: COSC 173.

Texts:

This semester we will be using two different text books. One, available at the bookstore, is:

Practical Unix and Internet Security, 2nd Edition, by Garfinkel and Spafford.

While this is not the most current book out there, it is very comprehensive and could be a valuable reference for the future.

The second book has not yet been published, but we will be working with a pre-print that will be available on Blackboard. This book is:

Computer Security: Art and Science, by Matt Bishop.

Topics and Readings:

While I do not expect the material in this class to be difficult, there is quite a bit to cover. Readings in the Bishop book and the Garfinkel and Spafford book are listed with the topic. Additional readings will be given on particular topics during the semester; most will be available on-line. Students will also be expected to subscribe to the following two mailing lists for the semester:

Bugtraq:
This is a list that carries discussion of security problems of exisiting systems. It is relatively high volume, so I suggest that you subscribe to the digest version. The easiest way to do this is to send a blank e-mail
message to:

bugtraq-digest-subscribe@securityfocus.com

RISKS Digest:

This is a relatively low-volume mailing lists that carries discussions of the risks of computer error, misuse, and malfunction to humans and society. You may receive this any number of ways, through the web, through the newsgroup comp.risks, or by e-mail.

http://catless.ncl.ac.uk/Risks

Topic Bishop Garfinkel
and Spafford Other

Introduction to Information Assurance 1 1

Policy Issues 4, 5.1, 5.2, 7.1, 7.4 A

Physical and Personnel Security 12, 13

Cryptography Overview 9 6

Key Management 10

Identity and Authentication 12, 14 3, 4

Acess Control 15

Malicious Code 18 11

Confinement 17

Secure System Design and Implementation 13 23, 18(parts)

Audit and Integrity 20 9,10

TCP/IP Security 16, 17

Firewalls 21

Intrusion Detection 21

Denial of Service 25

Response to Attacks 24, 26

Vulnerability Analysis 19

Trust 27

Other readings:

A. Georgetown University Computer Systems Acceptable Use Policy, http://www.georgetown.edu/technology/use/

Projects:

Project	Due date
Educational module development	Part 1: January 31st, in class Part 2: February 12, in class (or before, by e-mail)
Crypto tools	Due February 19, by e-mail, prior to class
Password Protected File	Due March 14th, by e-mail, prior to class.
Part 2 of Password Program	Due April 2nd, by e-mail, prior to class.

Grading:

Homework and
Assigned projects: 25%

Individual Project 20%

Midterm
February 28,2002 25%

Final 30%

Topic	Bishop	Garfinkel and Spafford	Other
Introduction to Information Assurance	1	1
Policy Issues	4, 5.1, 5.2, 7.1, 7.4		A
Physical and Personnel Security		12, 13
Cryptography Overview	9	6
Key Management	10
Identity and Authentication	12, 14	3, 4
Acess Control	15
Malicious Code	18	11
Confinement	17
Secure System Design and Implementation	13	23, 18(parts)
Audit and Integrity	20	9,10
TCP/IP Security		16, 17
Firewalls		21
Intrusion Detection	21
Denial of Service		25
Response to Attacks		24, 26
Vulnerability Analysis	19
Trust		27

Homework and Assigned projects:	25%
Individual Project	20%
Midterm February 28,2002	25%
Final	30%