Syllabus for

CS 5950: Computer Security and Information Assurance

Spring 2007

Department of Computer Science

Western Michigan University

 

Instructor:      Dr. Leszek (LEH-shek) Lilien

                        CEAS B-249, phone: (269) 276-3116

                        Email: llilien@cs.wmich.edu (do not use email without “cs”).

Notes on email use:

Please send e-mail only in important and urgent matters. I can’t and will not handle other e-mails.

Only e-mail conforming to the following requirements will be read by me:

a) Sent from a WMU account - ending with “wmich.edu” (of course, this includes accounts ending with “cs.wmich.edu”).

b) Each message must have a descriptive subject with the indicated prefix:

               CS5950-S07--<your last name>: < descriptive subject here>

For example, subjects of John Smith’s messages must be as follows:

               CS5950-S07—Smith: < descriptive subject here>

c)  Attached files must be scanned with up-to-date anti-viral software, and the message including them must contain the following statement:

I have scanned the enclosed file(s) with <name of software, its version>, which was last updated on <date>.

where <date> should be today’s date. (You should have the habit of updating your anti-viral software daily!)

                   

Lectures:        CEAS C-136, Tuesdays and Thursdays 8:30 am – 9:45 am

 

Office Hours: Tuesdays 5:30 pm – 6:30 pm

                        Thursdays 10:00 am – 11:00 am, 5:30 pm – 6:30 pm

 

Class Web Pages:

Syllabus - main page (this page): index.htm

Detailed course outline: outline.htm

Class slides and announcements: slides+announcements.htm

 

Course Overview:     

      This course is a survey of topics in the realm of computer/network security and information assurance.  It introduces topics ranging from cryptographic techniques to trusted systems to multilevel security to network security to ethics in the computing profession.  Students will learn fundamental concepts of security that can be applied to many traditional aspects of computer programming and computer system design.

Prerequisites:                     

Grade C or better in CS 4540: Operating Systems or equivalent, or instructor’s permission.

Grade C or better in CS 5550: Computer Networks or equivalent, or instructor’s permission.

 

Texts:

Required: Pfleeger and Pfleeger, Security in Computing. Third Edition, Prentice Hall PTR, 2003, ISBN 0-13-035548-8 (http://www.phptr.com/title/0130355488)

Highly recommended (for lab exercises):   V.J. Nestler, W.A. Conklin, G.B. White, and M.P. Hirsch, Computer Security Lab Manual, McGraw-Hill/Irwin, 2005, ISBN 0-07-225508-0 (http://www.securitylabmanual.com)

 

Course Objectives:   

The course is designed to provide knowledge including the following:

·        Security terminology

·        Basic cryptographic techniques: terminology, basic ciphers, private and public key encryption, uses of encryption

·        Network security: threats (incl. impersonation, spoofing, DoS, DDoS),  controls (incl. encryption, strong authentication), selected network security tools (firewalls, intrusion detection)

·        Program security: nonmalicious program errors (incl. buffer overflows), viruses, other malicious code, targeted malicious code, controls against program threats

·        Protection in operating systems: protected objects, methods of protection, access control, authentication

·        Database security: security requirements, sensitive data, inference, multilevel databases

·        Legal, ethical, privacy issues in Computer Security

 

Performance Objectives:

At the end of the course, all students should be able to:

·        Describe and correctly use fundamental terminology in the area of computer/network security and information assurance

·        Describe fundamental concepts of cryptography and assess the strengths and weaknesses of common cryptographic protocols

·        Understand security threats and available controls in networks

·        Identify weaknesses in program design and be able to categorize basic forms of attack against programs

·        Understand the basic concepts of security with regards to operating systems and access control

·        Describe database attacks and protections against such attacks

·        Appreciate and understand the legal, ethical, and privacy issues in computer security

 

Grading:

• Grading components:

Lab                                                      30%

Midterm                                               30%

Final                                                     40%

• Standard grading scale (A: 90, BA: 85, B: 80, CB: 75, C: 70, DC: 65, D: 60)
• I may curve a very tough exam to improve the letter grades.
• Inquiries about grades exams, labs, and quizzes (if any) must be made within one week after they are handed back. In case of a grading disagreement, written arguments for your claims are required. No arguments, however justifiable, will be considered after the one-week deadline.
• I might offer an extra credit for an optional coursework—such as presenting in class a software security tool or a research paper.
• In my book, there is the “A+” grade J for extraordinary performance (best in class, etc.).  Each student who receives it can get a written statement from me upon request (in case the student needs a strong evidence for a recommendation letter).  Of course, WMU transcript will show an “A” only.

 

Course Policies:

1. Lecture

-       Lecture notes will be available on-line on the “slides and announcements” page. You should study the slides and read announcements (if any) after/before each lecture.

-       Taking notes during classes is highly encouraged.  Especially, you should write down anything that is written down using the board or the document projector. You are encouraged to slow me down if you need more time to take notes.

-       Attendance is required. If you must miss a lecture, make sure that you don’t miss announcements.

2. Lab

-       Ms. Akshitha Guduru is the lab TA. Her web page for the lab is:

TBA

-       Lab assignments, based on the recommended textbook (“Computer Security Lab Manual”), will be weekly or bi-weekly.

-       The assignments must be run entirely in the secure environment of the Computer Security Lab (CEAS C-208). Running them in any other environment, including your own desktop or laptop, is prohibited since it may cause security threats to you or others.

-       Reports or demonstrations (to the lab TA) will be required for each lab assignment.

-       Each assignment will have a due date/time.  For each day an assignment is late, 10% of the maximum assignment score will be deducted.  Weekends and holidays are not counted when calculating lateness.  No assignments will be accepted after 11:59 pm on Thursday, April 19, 2007.

3. Exams

-       There will be two exams for the class. 

-       The midterm exam will be announced at least a week in advance (most probably, it will be held during the sixth week of the semester).  It will be held during the normal class time.

-       The final exam will be held during the finals week, as scheduled by the Registrar’s Office (http://www.wmich.edu/registrar/finalexam.html): 8:00 am – 10:00 am on April 23 (Monday).

-       If you miss an exam, the decision how to made it up will be made on an individual basis. Usually, you will be required to take a make-up exam. To be excused there must be significant circumstances beyond the student’s control.  Generally this will require documentation, such as a doctor’s note in the case of an illness.   You should inform the instructor before the exam if there are circumstances beyond your control that will cause missing an exam.

 

NOTE: No make-up exams will be given for reasons other than emergency situations completely beyond student’s control. If you know ahead of time that the final exam time conflicts with your plans, do not register for this class. (In particular, early flight reservations are not an acceptable reason for a make up exam.)

4. Incomplete Grades

-       The incomplete grade - I - is intended for a student who has missed a relatively small portion of work due to circumstances beyond his/her control.  In general, performance on work done must be at a level of C or better in order to qualify for an incomplete.  An I grade will not be given to replace an otherwise low or failing grade in the class. 

 

Use of Electronic Devices:    [courtesy of Prof. Ajay Gupta and Prof. James Yang]

 You are expected to stay alert and pay attention to the directions/announcements in the class. Cellphones, PDAs, and other electronic devices should NOT be used during the lecture and should be turned off.

If available, you may bring your laptop to the class. Your laptop speakers must be turned off. Web-surfing of material other than lecture slides or another material indicated by the instructor is not permitted during the class. You may surf the web only when specifically told to do so. In order to maintain the integrity of the classroom and if I feel it is distracting you or others, I may ask you to turn-off your laptop.

 

Other Notes:

• This class covers a very broad spectrum of issues related to computer security and information assurance, including issues from software engineering, operating systems, networks, database systems, as well as law and ethics.
• Many topics build upon one another. Therefore, be systematic in your study and avoid being lost. You are encouraged to ask questions in class if you do not understand the material.

·        Since email and telephone limit interactions, please see me during my office hours in case of any course difficulties.  (In justified cases, a special appointment can be made.)

·        No questions will be answered on the date of a quiz/exam. No office hours will be held on the days of the midterm and final exams.

·        A make-up quiz/exam can be given  only when a student presents a valid emergency reason for missing the quiz/exam, with well-documented evidence. Without such a reason and evidence, the student will loose all quiz/exam points.

 

Academic Integrity:  

 

Please be aware that I will not tolerate any breaches of  academic integrity.

Due to the nature of this course, should a student use any information learned or any facilities provided by the course in an unethical way, I will ask the Office of Student Conduct for the harshest penalties applicable. This applies to acts committed both during the course and after completing it (for example, if I hear about an incident in a faculty meeting).

 

[Portions of the following text courtesy of Prof. Ajay Gupta and Prof. James Yang.]

Submission of another person’s work in part or whole is not permitted. Learning can certainly occur with discussion of class material and assignments with other students, but at all times take care that you don’t represent the work of another as your own. 

 

·        If you are copying another’s work in part or whole, either by hand or electronically, you are going too far. 

·        If two or more people are working so closely together that the outcomes, particularly on significant portions of assignments, are essentially the same in logical structure or shared text, they are going too far.

·        You should not give your completed work to someone else or accept another’s completed work to “review or look at” in either hardcopy or electronic form.  This too easily facilitates copying. 

·        Easy availability of information, material, source codes, lecture notes, etc., on the Internet may make it possible to find solutions to your assignments on the Internet or elsewhere. It is okay to refer to those, understand them and use them to enhance your solutions, generate your own ideas, etc. However, you must give proper and full credit (see below) to the original authors of the work, if you include their ideas and/or solutions. Failing to do so is part of academic and professional dishonesty. It will not be tolerated in this class. Do not give in to temptations.

·        Proper and full credit is given as follows:

-       If you rephrase (write in your own words) ideas or solutions presented by others in your text, you must provide a reference in this text, and then list full bibliographic information for the reference at the end of your report, slides, etc. (Look at any research paper to see use of references.)

-       Any quotations (as opposed to rephrasing) must be clearly indicated in at least two ways: (a) with a clear phrase or sentence (e.g. “Quoting Smith et al.:”), and (b) with a different form of the text (e.g., written in italics, boxed, etc.).

 

If you are found responsible for violation of academic honesty in the course, you will receive a penalty up to and including an E grade in the class.

Additional disciplinary actions can be taken by the Department, the College, and the University.

 

© 2007 by Leszek T. Lilien                                                                                                                Last updated on 1/10/07