Information Systems Security

Download as PDF

Course

COMP 406

Semester

Spring

Year

2022

Catalog

School of Arts and Sciences

General Course Information

Course Lecturer Name(s): Keston Bhola

Course Director Name: N/A

Course Lecturer(s) Contact Information: kbhola001@sgu.edu, ext. 3750

Course Director Contact Information: N/A

Course Lecturer(s) Office Hours: 10:00 – 3:00 | Tue & Thu

Course Director Office Hours: N/A

Course Lecturer(s) Office Location: Leeward Hall, 2nd Floor

Course Director Office Location: N/A

Course Support: Mary Celestine, mcelesti@sgu.edu, Ext. 3726

Course Management tool: To learn to use Sakai, the Course management tool, access the link https://apps.sgu.edu/members.nsf/mycoursesintro.pdf

Course Curriculum Information

Course Description:

Our world is increasingly becoming more dependent on data and the systems that accept, process, provide and store such. In addition, network technologies have facilitated interconnection among these various systems allowing access from virtually anywhere. As John Gage put it, the network is the computer (Graham-Cumming, 2019).^{^[1]} Highly sensitive economic, financial, military, ad personal information is stored and processed in a global network that spans countries, governments, businesses, organizations, and individuals. Regardless of the countless uses and advantages, this affordance comes with numerous risks. Securing cyberspace is now synonymous with securing the normal functioning of our daily lives (Jacobs, 2011)^{^[2]}.

US Federal government committee, Committee on National Security Systems (CNSS), defines Information Systems Security as: “Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.” (Committee on National Security Systems, 2010)^{^[3]}

This course consequently provides students with such a knowledge ensure information assurance and security in the application of technology in an organization. It does so by covering topics related to the foundational principles of information and cybersecurity, namely Confidentiality, Availability, and Integrity, often referred to as the CIA triangle. It covers areas such as risk and threat analysis and appropriate mitigation techniques, installation and configuration of hardware and software security controls, disaster managements and recovery procedures. All these are discussed within the context of within applicable regulatory frameworks.

Course Objectives:

Identify various network components, both hardware- and software-based, to support organizational security.
Analyze indicators of compromise and determine the type of attack.
Perform basic penetration testing and vulnerability scanning
Participate in risk mitigation activities
Discuss cloud and virtualization concepts
Explain cryptography algorithms and their basic characteristics.
Draft IT policies
Identify applicable regulatory frameworks

Student Learning Outcomes:

Differentiate between threats, vulnerabilities, and attacks.
Compare and contrast types of attacks.
Perform threat analysis and respond with appropriate mitigation techniques
Install and configure systems to secure applications, networks, and devices
Compare and contrast identity and access management concepts
Discuss and evaluate policies, laws and regulations that are relevant to safeguarding an organization’s information assets.
Discuss incident response and recovery procedures.
Compare and contrast cryptographic concepts

Program Outcomes Met By This Course:

CTPO1 - Analyse a problem, identify, and define the computing requirements appropriate to its solution

CTPO2 - Design, implement, and evaluate a computer-based system, process, component, or program to meet desired needs

CTPO4 - Recognize the need for and engage in continuous professional development.

CTPO-5 - Apply current techniques, concepts, skills, tools, and best practices used in the core information technologie

SAS Grading Scale: Grades will be assigned as follows:

A = 89.5% or better

B+ = 84.5 - 89.4%

B = 79.5 - 84.4%

C+ = 74.5 - 79.4%

C = 69.5 - 74.4%

D = 64.5 - 69.4%

F = 64.4% or less

Course Materials:

Primary Text:

CompTIA Security+ SY0-601 Cert Guide (Certification Guide), 5th Edition, Omar Santos

(Author), Ron Taylor (Author), Joseph Mlodzianowski (Author), Pearson IT Certification (October 2021)

Supplementary Readings/Resources:

Numerous resources available from professional journals, web sites, magazines, news companies, manufacturers, industry trade groups and regulatory agencies. Access to these authors are usually facilitated using the world wide web.

Books from these authors are also highly recommended and are readily available online: Mike Meyers, Mike Chapple, Darril Gibson

Course Grading Requirement:

Course assessments are broken into these four broad categories

Assignments: assessments involving theory, research, and analysis.
Labs: practical assessments. Some may be recorded as mini-labs, which are labs which may not be graded. If graded, the weight is significantly less that the full ‘Labs’.
Forums: peer-based discussions. Post your thoughts on a particular subject. View and respond to your classmate’s own posts.
Exams: assessments under strict controlled conditions. Given using ExamSoft Examplify (with Exam Monitor). Include midterm and final exams.

May involve short/in-class quizzes (TurningPoint/Sakai) that assess your understanding of concepts at the end of class sessions. Short/in class quizzes may not be as rigorously controlled and even if graded, primarily contributes to you assessing your understanding of the material.

Grade weight distribution is as follows:

Assignments: 25%
Labs: 20%
Forums: 15%
Exams: 25%
Quizzes: 15%

Course Requirements:

Software required

-Oracle VM VirtualBox – virtualization software

-TurningPoint

Android: https://play.google.com/store/apps/details?id=com.turningTech.Responseware&hl=en iOS: https://apps.apple.com/us/app/turningpoint/id300028504

-ExamSoft

https://mycampus.sgu.edu/

Other software will be provided as needed

Course Schedule:

Week	Topics	Readings	Assessment and Activities
1	Syllabus Discussion	Syllabus [In Sakai] Syllabus Addendum CompTIA Security+ Exam objectives	Install TurningPoint on your device Look up the requirements of the Security+ exam
	Introduction to Information Systems Security -Definitions, related fields -Importance, relevance -Security principles and goals (CIA triangle) -Training and certifications	Chapter 1: pp. 3-8
	Basic threats (Vulnerabilities and risk) -think like a hacker -actor types and attributes	Chapter 1, pp. 9-11	Chapter 1 Forum
2	Types of Attacks -Social engineering -Network -Application/service -Other application vulnerabilities and attacks	Chapter 5, pp. 144-158 Chapter 7, pp. 226-250 Chapter 9 pp. 285-294 Chapter 17, pp.583-590	Labs 2.1, 2.2 ,2.3 (A, B, C)
3	Malware -Viruses, ransomware, worms, trojans, spyware/adware, rootkits	Chapter 2	Assignment 1: Social Engineering
3	Physical and Facilities Security Controls	Chapter 17, pp. 593- 602 Chapter 10, pp.321-326	End of Chapter Quiz [Weeks 1,2,3]
4	Infrastructure Security: Computer -OS security (applications and system), vendor recommendations -Virtualization concepts -Security applications -Securing hardware and peripherals	Chapter 3, pp.53-66 Chapter 4 ADD Ch. 5 here (App. Security)	End of Chapter Quiz [not given] Labs 4.1, 4.2
5	Infrastructure Security: Network -design elements -how a network works: IP address, ports, URLs, the Internet -cloud and server defense -securing wired networks and devices	Chapter 6 Chapter 7, pp.217-225 Chapter 9, pp. 285-294 [See week 2 duplicate]	End of Chapter Quiz [not given] Forum
6	Network security technology, tools and approaches -Firewalls, VPNs, Routers, Gateways, Access Points -Honeypots and honeynets - Network Intrusion Protection Systems (NIPS) and Network Intrusion Detection Systems (NIDS) -Other command line tools	Chapter 3, pp. 53-57 Chapter 8	Lab End of Chapter Quiz Assignment 1 due
7	Infrastructure Security: Wireless and Mobile Devices -management concepts -deployment models (BYOD, VDI, Co-operate owned -attacks and vulnerabilities	Chapter 3, pp. 66-78 Chapter 9, pp. 295-311	Forum [Study for Midterm] [Peer review…assignment 1]
8	Midterm Exam
9	Risk and Vulnerability Management -basic concepts -application vulnerabilities -penetration testing vs. vulnerability scanning -vulnerability management	Chapter 5, 12 Remove Ch. 5 from here…place in week 4)	Assignment 2 given Labs End of chapter quiz
10	Monitoring and audit: use appropriate tools to assess the security posture of an organization -monitoring and auditing -network scanners, protocol analyzers, vulnerability scanners, exploitation frameworks	Chapter 13	Labs End of chapter quiz
11	Identity and Access Management authentication, authorization and accounting (AAA) - biometrics, physical access controls, two factor authentication account types and policies -VPNs	Chapter 10, 11	Lab Forum discussion End of chapter quiz
12	Cryptography and PKI -Uses cases including authentication and nonrepudiation -Symmetric and asymmetric algorithms -Steganography and obfuscation	Chapter 14	Lab Forum discussion End of chapter quiz [REMOVE]
13	Cryptography and PKI -digital signatures and certificates -random number generation -PKI discussion -wireless security settings -Cryptographic Attacks	Chapter 15	Lab End of chapter quiz
14	Redundancy and Disaster Recovery -Redundancy and backup -Incident response -Continuity and recovery	Chapter 16	Forum discussion End of chapter quiz
15	Policy, Legal Regulations & Compliance -Operating procedures -Personnel management: Separation of duties, principles of least privilege, hiring, background checks, exit checks -Security policies: SGU Computing guidelines and policies examples	Chapter 18	Assignment Forum End of chapter quiz
15	Policy, Legal Regulations & Compliance Legislative Regulation of Electronic Conduct in Grenada Other regulatory frameworks (Caribbean, international and other jurisdictions) Organizations Policies data sanitization	Guest Lecture	Forum Discussion
16	Final Exam

School of Arts and Sciences Master Syllabi — Info for All Sections

Plagiarism Policy

Academic Integrity

The St. George’s University Student Manual (2019/2020) states as follows:

“Plagiarism is regarded as a cardinal offense in academia because it constitutes theft of the work of someone else, which is then purported as the original work of the plagiarist. Plagiarism draws into disrepute the credibility of the Institution, its faculty, and students; therefore, it is not tolerated” (p. 48).

Plagiarism also includes the unintentional copying or false accreditation of work, so double check your assignments BEFORE you hand them in.

Be sure to do good, honest work, credit your sources and reference accordingly and adhere to the University’s Honor Code. Plagiarism and cheating will be dealt with very seriously following the university’s policies on Plagiarism as outlined in the Student Manual.

Your work may be subject to submission to plagiarism detection software, submission to this system means that your work automatically becomes part of that database and can be compared with the work of your classmates.

Attendance Requirement

The St. George’s University Student Manual (2019/2020) states as follows:

“Students are expected to attend all classes and or clinical rotations for which they have registered. Although attendance may not be recorded at every academic activity, attendance may be taken randomly. Students’ absence may adversely affect their academic status as specified in the grading policy. If absence from individual classes, examinations, and activities, or from the University itself is anticipated, or occurs spontaneously due to illness or other extenuating circumstances, proper notification procedures must be followed. A particular course may define additional policies regarding specific attendance or participation” (p. 9).

Examination Attendance

The St. George’s University Student Manual (2019/2020) states as follows:

“All matriculated students are expected to attend all assigned academic activities for each course currently registered. Medical excuses will be based on self-reporting by students. Students who feel they are too sick to take an examination or other required activity on a specific day must submit the online SAS medical excuse, which is available on Carenage. Students are only allowed two such excuses a year. Upon consultation with the Director of University Health Service, the third excuse will result in a mandatory medical leave of absence. The policies regarding make-up examinations are at the option of the Course Director” (p.46).

For additional specific examination policies and procedures, refer to the St. George’s University Student Manual (2019/2020), pages 31 through 37.

Student Accessibility and Accommodation Services Policy

The St. George’s University Student Manual (2019/2020) states as follows:

“A student with a disability or disabling condition that affects one or more major life activities, who would like to request an accommodation, must submit a completed application form and supporting documentation to the Student Accessibility and Accommodation Services (SAAS) located in the Dean of Students Office. It is highly recommended that students applying for accommodations do so at least one month before classes begin to allow for a more efficient and timely consideration of the request. If a fully completed application is not submitted in a timely fashion, an eligibility determination may not be made, and accommodations, where applicable, may not be granted prior to the commencement of classes and/or examinations” (p. 8).

Disclaimer

It is the responsibility of the student to read and understand the policies, laws, rules and procedures that while they could affect your grade for a course, have not been specifically outlined in the course syllabus. These are contained in the St. George’s University Student Manual.