Introduction to Information Assurance
Catalog Description: Introduces the confidentiality, availability and integrity goals of information systems; resistance, recognition and response categories of assurance. Focus on computer security and survivability, including cryptography, network security, general purpose operating system security and dependability, and special purpose systems for high assurance security and dependability.
Type: Technical elective for all Computer Science majors, Required for Computer Science with Information Assurance majors.
Total Credits: 3
Contact Hours: 3 lecture hours per week.
Course Coordinator: Daniel Conte de Leon
Textbook: Charles Pfleeger and Sari Lawrence Pfleeger, Security in Computing, 3rd ed, Prentice Hall, 2003. or equivalent text.
Prerequisites by Topic:
- Knowledge of fundamental material covered in the core content areas sufficient to allow achievement of project objectives
- Knowledge of basic problem analysis and solution design processes and techniques (CS 120, 121)
- Writing skills (Engl 102)
- Formal presentations skills (Comm 101)
- Proficient programming skills in a high level language such as C++ or Java ( CS 120, 121, 127)
- Knowledge of basic operating system features and functionality (CS 240, CS 270)
- Ability to understand code written by others (CS 120, 121, 383 or 480)
Major Topics Covered
- Concepts of confidentiality, integrity, and availability, and authentication, authorization, and accountability (CIA-AAA); Saltzer and Schroeder secure design principles, and Defense in depth. (3 hours)
- Legal and ethical issues in Information Assurance, specifically with focus on security. (3 hours)
- Types of threats, malicious activities, and cyber-attacks; Adversary model; Threat prioritization and adequate defenses and countermeasures. (3 hours)
- Authentication and access control. (3 hours)
- Symmetric encryption (3 hours)
- Asymmetric encryption (3 hours)
- Buffer Overflow: Types and details of buffer overflow vulnerabilities and attacks and techniques for prevention and mitigation. (3 hours)
- Program Security and assurance: software engineering concepts of security and dependability including: secure design principles, secure coding and defensive programming, testing, maintenance, and system design for security. (3 hours)
- Operating system security: issues related to general purpose operating systems for security and dependability; Vulnerability scanning and 0-day; Basics of systems hardening. (3 hours)
- Web and database security including: secure database design, cross-site scripting, and SQL injections. (3 hours)
- Network security and dependability: overview of common concerns and solutions; Firewalls and IDS. (3 hours)
- Secure systems administration: configuration management, system management, maintenance, patching, and upgrading, and organizational policies.
- Security policies and compliance issues related to the implementation of security within organizations. (3 hours)
- Define most of the common and standard terms in the domain of Information Assurance (IA).
- Describe the focus areas in Information Assurance (sub-domains) and their rationale within the domain.
- Describe the types of attacks and the potential actors and their motivations.
- Describe the most common techniques and approaches in Information Assurance and their applicability to different threats and systems.
- Demonstrate the ability to investigate and report in detail a given topic, independently and in small groups.
- Critically evaluate host and networked sample computing systems for security vulnerabilities, identify failed security design principles, and propose adequate countermeasures.
- Analyze source code in search of vulnerabilities and implement vulnerability mitigations.
- Determine and implement vulnerability mitigations in sample systems, including the use and application of information technology, software development, and human resource and organizational policy techniques and approaches.
- Describe the laws concerning information assurance, security and privacy; Indicate the U.S. laws that may apply to particular scenarios.
- Critically apply ethic principles to known and scenario-based situations.