IT 466

Catalog Data: 466 Information Assurance and Security (3:2:3) F,W Prerequisite: IT 344 (Operating Systems), 347 (Networks), 350 (Databases), Statistics 221. Vulnerability mitigation and hands on implementations of Information Assurance and Security (IAS) concepts for both Unix/Linux and Windows. Firewalls, intrusion detection, intrusion protection, access control, user authentication, public key infrastructure, cryptography, encryption, infrastructure audits, business continuity, and both physical and logical infrastructure security.

Textbooks:

• John Chirillo, Hack Attacks Revealed, Wiley Publishing, 2002, ISBN:0-471-23282-3
• Tony Howlett, Open Source Security Tools, Prentice Hall, 2004, ISBN:0-321-19443-8

Lab Textbook: None.   A set of ten specifically written lab handouts is provided.

Reference Books:

• Markow, Mark S.; Breithaupt, James, The Complete Guide to Internet Security, 2000, American Management Association, New York, ISBN:   0-8144-7070-X.
• McClure, Stuart; Scambray, Joel; and Kurtz, George, Hacking Exposed: Network Security Secrets & Solutions, Fourth Edition , McGraw-Hill/Osborne, 2003, New York, ISBN 0-07-222742-7.
• Nichols, Randall K.; Ryan, Daniel J.; & Ryan, Julie J.C.H., Defending Your Digital Assets Against Hackers, Crackers, Spies & Thieves , 2000, McGraw-Hill, New York, ISBN: 0-07-213024-5.
• Panko, Raymond R., Corporate Computer and Network Security , Prentice Hall, 2004, Upper Saddle River, NJ 07458, ISBN 0-13-038471-2.
• Schneier, Bruce,   Beyond Fear, 2003, Copernicus Books, New York, ISBN: 0-387-02620-7.
• Stallings, William, Cryptography and Network Security: Principles and Practices, Third Edition, Prentice Hall, Upper Saddle River, New Jersey, 2003, ISBN 0-13-091429.

Reference Books:

• Birkholz, E. P., Special OPS Host and Network Security for Microsoft, UNIX and Oracle, Syngres, Rockland, MA, 2003, ISBN: 1-931836-69-8.
• CobiT Control Objectives , IT Governance Institute, Rolling Meadows, Illinois 60008.
• Erickson, J., Hacking The Art of Exploitation, No Starch Press, San Francisco, 2003, ISBN: 1-59327-007-0.
• Macfarlane, Ivor; Rudd, Colin, IT Service Management , 2001, itSMF Ltd, Reading, United Kingdom, ISBN: 0-9524706-4-0. (ITIL)
• McClure, Stuart; Shah, S.; Shah S.; Web Hacking Attacks and Defense,   Addison-Wesley, NY, 2003, ISBN: 0201761769.
• Northcutt, Stephen, et. al.,   Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems.
• Schneier, Bruce,   Applied Cryptography: Protocols, Algorithms, and Source Code in C , Second Edition, Wiley, New York, 1996, ISBN: 0-471-12845-7.
• Stallings, William, Network Security Essentials - Applications and Standards, Second Edition, Prentice Hall, Upper Saddle River, New Jersey, 2003, ISBN: 0-13-035128-8.
• Vaca, J., Internet Security Secrets, IDG Books Worldwide, Inc., Foster City, CA, 1996, ISBN: 1-56884-457-3.

Class website:  http://class.et.byu.edu/it461r/

Class Coordinator: Gordon Romney

Goals: On completing this class students will understand the differences between IT business continuity, disaster recovery and incident management.   The course will focus primarily on incident management and will provide experience with real implementations of computer information assurance and security (IAS) in addition to an understanding of IAS concepts and vocabulary.   The homework, lab and lab team project will confront students with hacking, intrusion and security situations that will build confidence through hands-on problem solving. Students will participate in the development and implementation of security Best Practices that easily extend from a lab to a production environment by performing a Security Audit. Individual student research and presentation of a lecture topic coupled with team problem solving will enhance the student's ability to teach and maintain a secure business environment in areas of future employment.   The ultimate goal is to exceptionally prepare students to be sought after by employers who want loyal, ethical and well-prepared IT practitioners with premier training in IAS skills and knowledge.

Prerequisites by topic:

• Competently install and configure a Unix/Linux operating system, an MS-Win operating system and an MS 2003 or equivalent server. (IT 344/IT 347)
• Competently configure infrastructure topologies that include servers (Unix/Linux and Windows), routers and switches. (IT 347)
• Competently configure and use MySQL databases and proficiently use SQL. (IT 350)
• Capable of using statistics to determine errors in hardware utilization. (Stats 221/322/361)

Outcomes

1. Know and understand the Information Assurance and Security (IAS) components and their functions that comprise the three interactive dimensions of the MSR Cube model:

1. Technology, Policy & Procedure, and People
2. Maintaining or providing Availability, Integrity, Authentication, Confidentiality and Non-Repudiation, for
3. the Transmission, Storage and Processing of Information.
• Perform a security audit of an infrastructure by delivering a formal written audit report.
• Explain the causes of, diagram and demonstrate the vulnerability mitigation and recovery process.
• Implement access control and user authentication in both Windows and Linux environments, including:
  1. Symmetric and asymmetric cryptography
  2. SSL, TLS and IP-sec
  3. PGP and MS-CA server and issue appropriate certificates
• Install firewalls, a honeywall, intrusion detection, and intrusion prevention in an operating honeynet environment involving both linux and windows honeypots.
• Explain and demonstrate the data privacy risks created by malware , web parasites, and inadequate system and application security technology.
• Demonstrate remote (including VPNs) or wireless access and their associated hacking vulnerabilities.
• Develop an appreciation through project assignments of the value of continued learning on new topics that promote life-long learning disciplines.
• Learn to weigh the ethical implications of giving proper attribution, honoring the intellectual property of others and respecting licensing laws.

Laboratory projects: IAS is learned by doing.   Labs are a fundamental component in this learning process.

Ten laboratory assignments are structured for the course, several of which are team efforts.

Laboratory topics (topics do not necessarily correspond to individual lab exercises):

• Configure Active Directory with a focus on Group Policy Objects.
• Use Active Directory and Domain Controllers, create and demonstrate Active Control Lists.
• Install and Configure Exchange 2003 e-mail server, Exchange System Manager (EMS), Internet Information Service 6.0 (IIS), and a Certificate Authority on a domain controller in the IT domain requiring use of Secure Socket Layer (SSL).   Have it issue certificates to workstations and generate an operational SSL certificate.
• Implement a packet-filtering firewall in Linux Security Engineering and Auditing and demonstrate cracking, with permission, skills. Install a Honeywall for a GenII Honeynet as a project team.
• Install and configure an Intrusion Detection System and Intrusion Detection System on a Honeynet. Install two Honeypots: (1) Windows and (2) Linux; as a project team.
• Configure a VPN or a wireless network and demonstrate common hacking techniques.
• Demonstrate two of the following Denial of Service Attacks:
  1. Memory hacking and buffer overflows.
  2. Stack-based overflows and heap and bss-based overflows.
  3. IP-spoofing and Trojan Horses.
  4. TCP and IP Hijacking.
• Demonstrate four of the following security audit functions with Nessus:
  1. Network sniffing
  2. Port scanning
  3. Wireless sniffing
  4. SMTP and tracing e-mail
  5. Fuzzy fingerprints
  6. Differing SSH protocol host fingerprints
  7. Computer Forensics techniques
• Develop and demonstrate a MySQL database for capturing the data accumulated by the GenII Honeynet and interpret the intrusion content.
• Perform as a team a Security Audit on an infrastructure established by another class team.

Laboratory Equipment: Computer Equipment used: Computer with administrative access. Multiple OS installations (Windows, Linux, VMware). Routers, switches, IT
Sandbox, ITSecLab and IAS Lab equipment.

Written and oral communication requirements: Students will record all labs in lab reports. Students will analyze results of labs and report on them in lab reports. Reports will be evaluated for both technical content and writing quality. Students will do oral and written presentations on lab projects.

Homework Assignments : There are ten homework assignments that are hands-on hacking and malware exercises taken from the textbooks.

Math Analysis: Statistics

Library or other Research Projects: Team participation in the preparation of one IAS lecture topic of 50 minutes.

Life-long learning experiences: Students will identify several key publications (on-line or paper) which discuss new technical developments in IAS. They will select and report on one article from one of these publications. Student groups will independently research an assigned topic in IAS and teach it to the class as part of their assigned lecture.

Prepared By: G. W. Romney

Date Revised: June 2005