CENG 418

Information Security

Information Security is a comprehensive study of the principles and practices of computer system security including operating system security, network security, software security and web security. Topics include common attacking techniques such as virus, trojan, worms and memory exploits; the formalisms of information security such as the access control and information flow theory; the common security policies such as BLP and Biba model; the basic cryptography, RSA, cryptographic hash function, and password system; network intrusion detection; software security theory; web security; legal and ethical issues in computer security.

Learning Outcomes:

1.To be able to learn the common security threats in digital world.
2.To be able to learn the foundational theories of information security.
3.To be able to learn what are the basic principles and techniques when designing a secure system.

Week Topics
1 Introduction Course introduction (syllabus, policies, projects, and recent cyber threats overview) An overview of information security: confidentiality, integrity, and availability
2 Understanding the Threats Malicious software (Viruses, trojans, rootkits, worms, botnets) Memory exploits (buffer overflow, heap overflow, integer overflow, format string)
3 Formalisms Access control theory, access control matrix Information flow
4 Policy Security policies Confidentiality policies (BLP model) Integrity policies (Biba, and Clark-Wilson model) Hybrid policies (Chinese Wall model, role-based access control)
5 Cryptography I Block and stream ciphers Cryptographic hash functions, Message Authentication Codes (MAC) Public and private key systems
6 Cryptography II Message digests. Approximate strength of ciphers Authentication Password system
7 Midterm
8 Systems Secure design principles (Least-privilege, fail-safe defaults, complete mediation, separation of privilege) TCB and security kernel construction System defense against memory exploits UNIX security and Security-Enhanced Linux (SELinux) Windows security
9 Network Security I TCP/IP security issues DNS security issues and defenses
10 Network Security II TLS/SSL Network Intrusion detection and prevention systems Firewalls
11 Software Security Vulnerability auditing, penetration testing Sandboxing Control flow integrity
12 Web Security User authentication, authentication-via-secret and session management Cross Site Scripting, Cross Site Request Forgery, SQL Injection
13 Legal and Ethical Issues Cybercrime and computer crime Intellectual property, copyright, patent, trade secret Hacking and intrusion Privacy, identity theft