COSC 352
Information Assurance
Spring 2003
11:40-12:55 Tuesday Thursday
Tuesday - St Mary G40, Thursday - Reiss 262


"Trusting every aspect of our lives to a giant computer was the smartest thing we ever did!"
- Homer Simpson

Instructor: Clay Shields
Email:clay at cs dot georgetown dot edu
Phone: (202) 687-2004
Office: Reiss 222
Mailbox: Reiss 240
Office Hours: Monday and Wednesday 2:15 - 3:30, Friday by appointment

Description:

This course is intended to introduce students to means of assuring the confidentiality, integrity, and availability of information through mechanisms of technology, policy, and education. Topics will include: access control; authentication; security policies and enforcement; security design principles; malicious logic; vulnerability analysis; intrusion detection and response; audit; risk assessment; personnel and physical security; and legal, ethical, and social issues.

Prerequisites: COSC 173.

Texts:

This semester we will be using:

Practical Unix and Internet Security, 2nd Edition, by Garfinkel and Spafford.

While this is not the most current book out there, it is very comprehensive and could be a valuable reference for the future.

Topics and Readings:

While I do not expect the material in this class to be difficult, there is quite a bit to cover. Additional readings will be given on particular topics during the semester; most will be available on-line. Students will also be expected to subscribe to the following two mailing lists for the semester:

Bugtraq:
This is a list that carries discussion of security problems of exisiting systems. It is relatively high volume, so I suggest that you subscribe to the digest version. The easiest way to do this is to send a blank e-mail
message to:

bugtraq-digest-subscribe@securityfocus.com

RISKS Digest:

This is a relatively low-volume mailing lists that carries discussions of the risks of computer error, misuse, and malfunction to humans and society. You may receive this any number of ways, through the web, through the newsgroup comp.risks, or by e-mail.

http://catless.ncl.ac.uk/Risks
 
Topic
Garfinkel 
and Spafford
Other
Introduction to Information Assurance
1

Cryptography Overview
6

Policy Issues
2
Georgetown University Computer Systems Acceptable Use Policy

Practical Threat Analysis and Risk Management
Physical and Personnel Security
12, 13
Employment Background Checks
Identity and Authentication
3, 4
Passwords

Password Security: A Case History

Observing Reusable Password Choices

Passwords: The Weakest Link?

Biometrics

Impact of Artificial "Gummy" Fingers on Fingerprint Systems

Body Check: Biometric Access Protection Devices and their Programs Put to the Test


Malicious Code
11
How to 0wn the Internet in Your Spare Time

Reflections on Trusting Trust
Secure System Design and Implementation
23, 18(parts)
Software Flaws

Smashing the Stack for Fun and Profit

Common Vulnerabilites and Exposures

Secure Programming

Secure Programming for Linux and Unix Howto

Protecting sensitive data in memory

Protecting Passwords part 1, part 2

Preventing buffer overflows

Audit and Integrity
9,10

TCP/IP Security
16, 17
A Weakness in the 4.2BSD Unix TCP/IP Software

A Simple Active Attack against TCP
Firewalls
21

Intrusion Detection
Insertion, Evasion, and Denial of Service
Denial of Service
25
What do we mean by network denial of service?
Response to Attacks
24, 26

Vulnerability Analysis

Trust
27

Random other links:

Things that came up in class that you might like to read.

If TiVo Thinks You Are Gay, Here's How to Set It Straight

How to obscure any URL

Projects:
 

Project
Due date
Familiarization with Unix
February 6
Password Security
February 25
Secure Programming
March 25
Network Probe Monitoring
April 3
Attack Familiarization
April 22

Grading:
 
Homework and
Assigned projects:
25%
Individual Project 20%
Midterm 25%
Final 30%