Information Security and Auditing in the Digital Age

Instructor Corner

Welcome to the security book instructor corner. It suugests how this material can be, and has been, used in developing information security courses with a sample course outline and sample projects. You can also download powerpoint slides if you are an instructor.

This corner is still under construction. Additional materials will be posted as they become avaiable.

• Backroround Information
• Suggested Usage in Courses and a Sample Course Outline
• Suggested Projects.
• Downlasod of Lecture slides (Powerpoint)

For additional details, please Contact us .

 

Background Information: Ramblings, Musings, and Thoughts

I teach a course on information security and auditing at the Fordham Graduate School of Business. The objective of the course is to give a broad overview of the subject matter and cover the building blocks of IS security in the modern digital enterprise. The topics discussed include:

• Management issues of policies, procedures, risks, controls, and requirements
• Practical review of security technologies such as cryptography, authentication, authorization, non-repuduation, and commercially available security packages (PKI, PGP, Kerberos, SSL, VPN)
• Securing wireless and wired networks by using the security technologies
• Securing applications, databases, and platforms by using the security technologies
• Examination of security risks associated with newer areas such as e-business, mobile applications, XML and Web Services, wireless communications, and application server.
• Audits and controls for continued secure operations
• A methodology that puts all of the above into a procedure

I had a great deal of difficulty in finding good text materials for this type of course. There are numeous books that cover encryption and others that only cover one aspect (e.g., network security, computer security). I thought that the handbook edited by Tipton and Krause ("Information Security Management Handbook", Auerbach, 2000) would help but it was disappointing (badly organized, redundant and very old topics).

The closest I could find was the book "Surviving Security" by M. Andress (SAMS 2002) but it has almost no depth. Although I used Andress book as an overall text, I developed my own notes and assembled my notes into a possible text book. This book is an early version of the textbook (a more rigorous edition will appear in summer 2004). Any comments and suggestions are welcome.

What are your experiences? What have you found? Am I missing something? Is it a deathwish to teach an introductory course on IS security with a broad and recent coverage of topics before spending a lifetime on cryptography?

I am sure that other courses of this nature are being taught and I may end-up teaching this course again, I am looking for other experiences in this area. Specifically, I am looking for other materials, course outlines, references, suggestions, comments, whatever.

I will post the summary of responses on this site. Promise.

 

Amjad

 

Suggested Usage in Courses

This book has been classroom tested in different university and industrial courses in the past three years. These introductory courses were intended to provide a broad understanding of the subject matter that exposed the students to the managerial as well as technical aspects of security in the highly distributed environments in the digital age. The current book format has been largely influenced by the information security course that I taught in the Information and Communications Systems (ICS) department at Fordham Graduate School of business. The course was offered in the Fall 2003 Semester and was attended by MBA students, many of them practitioners in the IT industry.

The following course description outlines the course. I have taught variations of this course in the industry. The course can be easily modified for a more technical audience by adding one or two sessions on cryptographic techniques and by reducing/eliminating the management and audit/control topics.

 

 

Course: Information Security and Auditing

 

Course Description
This course covers the technical as well as administrative aspects of security in modern digital enterprises from a total systems point of view instead of concentrating on one issue (e.g., network security, host security, data security, cryptography). The course starts with a comprehensive overview of security principles and practices that are needed to satisfy the IS systems integrity, confidentiality and availability requirements. The topics in this phase of the course include security awareness, security requirements, IS security and control practices, risk analysis, policies, and security management. A methodology for IS security is also introduced in this phase. The second part of the course covers the core security tools and techniques that are common to almost all security and audit practices. The topics in this phase of the course include: encryption based on symmetric/asymmetric techniques, authentication, access control, digital certificates, and digital signatures. Discussion also includes common security packages that combine these techniques into solutions such as PKI, PGP, SSL, and VPN. In the third phase, these techniques and methodology are used to build security solutions at an enterprise level. Topics in this phase cover Internet security, Web and Web Services security, XML security, application security, e-commerce security, wireless and mobile computing security, and other emerging cyber security issues. The course concludes with a discussion of information assurance in web environments, IT audit and control principles, and security audits needed for continued secure operations.

Course Objectives: Present a broad overview, with necessary details, of the following topics:

• Management issues of policies, procedures, risks, controls, and requirements
• Practical review of security technologies such as cryptography, authentication, authorization, non-repuduation, and commercially available security packages (PKI, PGP, Kerberos, SSL, VPN)
• Securing wireless and wired networks by using the security technologies
• Securing applications, databases, and platforms by using the security technologies
• Examination of security risks associated with newer areas such as e-business, mobile applications, XML and Web Services, wireless communications, and application server.
• Audits and controls for continued secure operations
• A methodology that puts all of the above into a procedure

 

 

Course Text
Umar, A., "Information Security and Audits in the Digital Age", NGE Solutions, Dec. 2003

Additional main sources of Information
Andress, M., "Surviving Security", SAMS Book, 2002 (recommended)
"Guide to Information Technology, Control, and Audit", Frederick Gallegos (Editor), Sandra Allen-Senft, Daniel P. Manson
Tipton, H. and Krause, M. editors, "Information Security Management Handbook", Auerbach, 2000
Additional sources and web links made available during the course

Course Grade

Two projects (200 Points)
One Examination- Take home (100 Points)
Total: 300 points
Straight percentile grade

 

Course Outline
Legend:
U-Cn Umar, Chapter n

Phase 1: Introduction and EDP Audits
Session 1; Introduction to information security and audits (U-C1)
Session 2: : Security requirements, risk, and policies (U-C2)
Session 3: Security management and an overall methodology (U-C2,C3)

Phase 2: Security Principles and Technologies
Session 4: Cryptography techniques, symmetric/asymmetric encryption, digital signatures (U-C4)
Session 5: Authentication, authorization, accountability, availability, certificate management, non-repudiation, single sign-on (U-C5)
Session 6: Security packages (PKI, SSL, VPN, PGP, Kerberos) (U-C6)

Phase 3: Building Solutions to Secure IT Assets
Session 7; Review of IT assets, network security principles and firewalls (U-C7,C8)
Session 8; Internet security, VPNs/ IPSEC, Remote access security (U-C8)
Session 9: Wireless network security (U-C9)
Session 10: Web, Semantic Web, and XML security (U-C10)
Session 11: Distributed platform, Web Services, and .NET security (U-C11)
Session 12: Application security, e-commerce security, mobile application security (U-C12)
Session 13: Auditing and control, security audits (U-C13)
Session 14: Wrapup and Trends (U-C14)

 

 

Suggested Sample Projects

Projects are crucial to the learning experience. In the security courses I have taught, I have generally used two team projects (teams of 2-3 members) that include a mixture of research, hands-on experiments, and architectural analysis. Here is a sample list. You can pick any two or combine some of these to build larger team projects )

• Pick a security package, install it and do a demo of how it really works and how it can be used. Many students have used PGP due to its ready availability and have exchanged emails with each other by using PGP encryption. It works well. Examples of other packages are Kerberos, PKI and SSL. For example, some students were able to obtain free trial digital certificates from Verisign and installed them on their browsers to experiment with various SSL options.
• Build a security solution for a sample company. The company is introduced in the early part of the project and then various security issues are addressed to develop a complete solutions. The book case study on NRW is an example and was in fact developed as student assignments. Instructors can extend this case study by adding additional capabilities to NRW that expose new threats to be addressed by a complete security solution. In many cases, the students chose a company that they are familiar with.
• Conduct a security audit of an actual or fictitious corporation. Many students have chosen parts of their organization or audited parts of university network, firewalls, etc.
• Research of special topics such as security policies, security audits, wireless security, e-commerce security, Web Services security, XML security, SAML, .NET security. controls for security, intrusion detection systems, non-repudiation, attack trees, honeypots, latest developments in cryptography, and many others. The material in this book serves as a good starting point. The main idea is to have students go beyond the classroom discussion and investigate the latest research and industrial developments. Students are asked to develop a proposal early in the term and make presentations on these topics and/or write a report.
• Programming assignments are especially useful pedagogical tools for students with adequate technical background. This is especially useful for the courses in computer science departments. Many security packages at present provide APIs that can be used to gain insights into system security. Students can, for example, build simple intrusion detection systems that detect intrusions caused by the students.

 
 

Downloads of Lecture Slides

When you click on the links below, you will get a zipped file in return with ckhapter slides for each Part of the book. You will need ID and PW to access theses slides.

If you are an instructor and want a free review copy of the material, please Contact us  with university/college name, possible course title, etc. We will send you the passwords and IDs for the slides plus the text chapters.

 

Part1 Slides (ppt)

Part2 Slides (ppt)

Part3 Slides (ppt)

Part4 Slides (ppt)

Part5 Slides (ppt)