ISA 662: INFORMATION SYSTEMS SECURITY

Professor Ravi Sandhu

TA: Baoxian Zhao, bzhao@gmu.edu

Fall 2006, Wednesday 4:30pm - 7:10pm, Thompson 138
www.profsandhu.com/isa662

Important Notice:

• 11/26/06: Exam 4 has been posted.
• 11/17/06: Sample Answer for Exam 2 has been posted.
• 11/15/06: Schedule for remainder of the semester has been further adjusted.
• 11/07/06: Schedule for remainder of the semester has been adjusted.
• 10/20/06: Schedule for part III has been adjusted.
• 10/20/06: Please consult directly with Baoxian on make-up examinations if you are unable to make the scheduled date.
• 10/13/06: Sample Answer for Exam 1 has been posted.
• 10/8/06: Assignment 2 has been posted.
• 9/14/06: Schedule has been updated.
• 7/23/06: This page is ready for the Fall 2006 semester. Items marked in red will be added later. The rest of the material is substantially stable. Bear in mind that adjustments can be made as the semester proceeds.
• Watch this space for important announcements throughout the course. Recent announcements will be highlighted in red.

Course Prerequisites:

• Must have completed all foundation requirements for the MS-ISA degree or equivalent.
• Must be internet, web and pdf (get Acrobat Reader here) capable.
• Must be capable of accessing papers available to all GMU students in the GMU Digital Library via University Libraries -- Database Wizard.

Grading:

• Grades will be based on examinations, assignments and class participation.
• Final grades will be assigned by “curving” grades assigned on individual assignments and examinations.
• All examinations will be closed-book in-class. There is no opportunity for make-up examinations except for extreme situations.

Schedule:

• The schedule is subject to change and adjustment as the semester proceeds.
• The course is structured into 4 parts. Each of the first three parts has an assignement and an examination. The fourth part comprises a single lecture. The final examination at the end of the course cvoers all 4 parts.
• Assigned readings for a lecture should be read in full in advance of the lecture for maximum benefit.
• Readings marked with a REF qualifier are not required to be read in full. Selected aspects will be covered in class.

Part I: Cryptography

Assignment for Part I is available here and due in class on 9/20/06.
• 8/30/2006:
  Part 1: Introduction to Security
  • My slides: Introduction
  • Bishop, Chapter 1 An Overview of Computer Security. Bishop's slides: ppt, pdf.
  • Good-Enough Security: Toward a Pragmatic Business-Driven Discipline, Ravi Sandhu, IEEE Internet Computing, Vol. 7, No.1, January/February 2003.
  • Unconventional Wisdom by Bellovin, S., IEEE Security & Privacy Magazine, Volume 4, Issue 1, Jan.-Feb. 2006 Page(s):88 - 88
  • How to think about security by Whittaker, J.A. and Ford, R. IEEE Security & Privacy Magazine, Volume 4, Issue 2, Mar.-Apr. 2006 Page(s): 68- 71.
  • Hackers get to the root of the problem by Dan Geer. IEEE Computer, May 2006, Page(s): 17-19.
  • The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets, Evan Cooke, Farnam Jahanian and Danny McPherson, Proc. USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet, 2005.
  • Malicious Bots Threaten Network Security, Dan Geer, IEEE Computer, January 2005, Industry Trends Column.
  Part 2: Cryptography
  • My slides: Introduction || Symmetric encryption
  • REF: RSA Crypto FAQ
• 9/6/2006: Cryptography continued
  • My slides: Symmetric encryption (continued) || Asymmetric encryption || Asymmetric signatures and key exchange || Symmetric MACs
  • REF: RSA Crypto FAQ
• 9/13/2006: Challenge-Response. Digital Certificates.
  • My slides: Challenge-response || Digital certificates
  • REF: RSA Crypto FAQ
• 9/20/2006: Cryptographic Protocols: SSL and its pitfalls.
  • My slides: SSL || SSL pitfalls
  • "An overview of PKI trust models" by Perlman, R. IEEE Network, Volume: 13 Issue: 6 , Nov.-Dec. 1999 Page(s): 38-43.
  • "The problem with multiple roots in Web browsers-certificate masquerading" by Hayes, J.M. Proceedings Seventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, IEEE 1998. (WET ICE '98) 17-19 June 1998 Page(s): 306 -311.
  • "Restricting access with certificate attributes in multiple root environments - a recipe for certificate masquerading" by Hayes, J.M. Proc. 15th Annual Computer Security Applications Conference, IEEE, 2001, Page(s): 386-390.
  • REF: The TLS Protocol, Version 1.0, RFC 2246
    “The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate.”
• 9/27/2006: Examination 1 on Part I. High: 136/170, Low: 34/170, Average: 88/170, Median: 94/170

Part II: Cryptography (concluded). Access Control and Authorization.

Assignment for Part II is available here and due in class on 10/25/06.
• 10/4/2006: Cryptographic Protocols: Needham-Schroeder, Kerberos, EKE and IKE.
  
  • My slides: Kerberos || EKE || IKE
  • Bishop, Chapter 10 Key Management, Section 10.2.1 and 10.2.2. Bishop's slides: ppt, pdf (through slide 27).
  • REF: The Kerberos Network Authentication Service (V5), RFC 1510
  • REF: "Encrypted key exchange: password-based protocols secure against dictionary attacks." Bellovin, S.M. and Merritt, M. Proceedings IEEE Computer Society Symposium on Research in Security and Privacy, 4-6 May 1992 Page(s):72 - 84.
  • REF: The Internet Key Exchange (IKE), RFC 2409
• 10/11/2006: DAC, MAC, Covert Channels, Information Flow, Chinese Walls.
  • My slides: Access Control || LBAC
  • Bishop, Chapter 2 Access Control Matrix. Bishop's slides: ppt, pdf.
  • Bishop, Chapter 5 Confidentiality Policies. Bishop's slides: ppt, pdf.
  • Bishop, Chapter 6 Integrity Policies. Bishop's slides: ppt, pdf.
  • Access Control: Principles and Practice, Ravi Sandhu and Pierangela Samarati, IEEE Communications, Volume 32, Number 9, September 1994, pages 40-48.
  • Lattice-Based Access Control Models, Ravi Sandhu, IEEE Computer, Volume 26, Number 11, November 1993, pages 9-19.
• 10/18/2006: LBAC concluded. RBAC.
  
  • My slides: RBAC96 model
  • Role-Based Access Control Models, Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman, IEEE Computer, Volume 29, Number 2, February 1996, pages 38-47.
  • Proposed NIST Standard for Role-Based Access Control, David Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn and Ramaswamy Chandramouli, ACM Transactions on Information and System Security, Vol. 4, No. 3, August 2001, Pages 224-274.
• 10/25/2006: Examination 2 on Part II (excluding lecture of 10/4/06).
  Sample Answer
  

Part III: System Security and Assurance

There is no assignment for Part III. It is replaced by examination 4.
• 11/1/2006: Relation of RBAC to DAC and MAC.
  
  • My slides: RBAC subsumes MAC and DAC
  • Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies, Sylvia Osborn, Ravi Sandhu and Qamar Munawer, ACM Transactions on Information and System Security, Vol. 3, No. 2, May 2000, Pages 85-106.
• 11/8/2006: Orange Book, Common Criteria, FIPS 140-2
  • My slides: Orange book || Common criteria
  • Bishop, Chapter 21 Evaluating Systems. No slides.
  • REF: Orange book
  • Common Criteria: An Introduction
  • REF: Common Criteria: User Guide
  • REF: FIPS 140-2
  • REF: NIST FIPS 140-2 page
• 11/15/2006:
  Part 1: Authentication
  • Bishop, Chapter 12 Authentication. Bishop's slides: ppt, pdf.
  • Case study: online banking security by Hole, K.J., Moen, V. and Tjostheim, T. IEEE Security and Privacy, Volume 4, Issue 2, Mar.-Apr. 2006, Page(s): 14- 20.
  • Secure Internet banking authentication by Hiltgen, A., Kramp, T. and Weigold, T. IEEE Security and Privacy, Volume 4, Issue 2, Mar.-Apr. 2006, Page(s): 21- 29.
  Part 2: Intrusion Detection
  • Bishop, Chapter 25 Intrusion Detection. Bishop's slides: ppt, pdf.
  • Stefan Axelsson, "The Base-Rate Fallacy and the Difficulty of Intrusion Detection." ACM Transactions on Information and System Security, Vol. 3, No. 3, August 2000, Pages 186-205.
• 11/22/2006: Thanksgiving Holiday. No Class.
• 11/29/2006:
  Part 1: Malware
  • Bishop, Chapter 22 Malicious Logic. No slides.
  • 20 Years of Computer Viruses, Ross M. Greenberg and George Jones, TechWeb, Jul 5, 2006.
  • Ken Thomson. "Reflections on trusting trust." Commun. ACM 27, 8 (Aug. 1984) 761-763.
  Part 2: Usage Control
  • UCON paper | with markup
• 12/6/2006: Examination 3 on Part III.
• 12/13/2006: Examination 4: take-home examination is posted here. Due by hard copy on 12/13/06 at regularly scheduled class time. Submit in Room 468, ST2 Building to Baoxian Zhao.

Textbook:

• The course is based on Prof. Sandhu's slides, specified papers from the literature and portions of the following book.
  Computer Security: Art and Science by Matt Bishop. Addison-Wesley Pub Co; 1st edition (December 2, 2002) ISBN: 0201440997
• The course assumes that students have ready access to this book.

Grading:

• Examinations 1-3: 20% each for a total of 60%
• Examination 4: 13.33%
• Assignments 1 and 2: 13.33% each for a total of 26.67%
• Grades will be "curved" based on overall class performance.

Archives: Summer 2004