IT 492R: Data Privacy

Catalog Data: 492 R Data Privacy, Identity Management and Identity Theft (3:2:3) F,Sp Prerequisite: IT 344 (Operating Systems), 347 (Networks), 350 (Databases) and Statistics 221. IT 466 is highly recommended. Hands-on evaluation of hacking techniques and malware for identity theft for both Unix/Linux and Windows environments is pursued. Fingerprint and Iris biometrics are evaluated for identity pruposes. Symmetric and Asymmetric Cryptography authentication techniques, along with digital signature technologies, are evaluated for protecting and securing personal and corporate assets. Identity Management technologies that authenticate users, and database architectures and best practices that handle worldwide data privacy legislation are studied.

Textbook:

• Skoudis, Ed; Zeltser, Lenny, Malware: Fighting Malicious Code, 2003. A complete guide to all kinds of malicious code, including viruses, worms, backdoors, Trojan Horses, user-mode RootKits, and kernel manipulation. Also includes detailed defenses, three movie-themed scenarios, and a guide to building your own malware analysis laboratory.

Lab Textbook: A set of ten specifically written lab handouts is provided. Additionally, access to Nathan Green's Masters Thesis, Establising Public Confidence in the Viability of Fingerprint Biometric Technology, BYU SOT, August 2005, Sections: 2.4, 3.2 and 4.1.

Reading Texts:

• Bolle, Ruud, Guide to Biometrics, 2003.
• O'Harrow, John, No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society, 2005
• Reid, Paul, Biometrics for Network Security, 2003.
• Rowden, Mark, Identity: Transforming Performance Through Integrated Identity Management, Gower Publishing Co., 2004 ISBN: 0566086182.
• Skoudis, Ed, Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses, 2001.
• Vacca, John R., Identity Theft, 2002. [Required]
• Woodward, John D., et. al. Biometrics, 2002.

Class website:

Class Coordinator: Gordon Romney

Goals:

Individual student research and presentation of a lecture topic coupled with team problem solving will enhance the student's ability to teach and maintain a more secure business environment in areas of future employment.   The ultimate goal is to exceptionally prepare students to be sought after by employers who want loyal, ethical and well-prepared IT practitioners with premier training in Data Privacy, Identity Management skills and currentl knowledge on how best to prevent Identity Theft.

Prerequisites by topic:

• Competently install and configure a Unix/Linux operating system, an MS-Win operating system and an MS 2003 or equivalent server. (IT 344)
• Competently configure and use MySQL databases and proficiently use SQL and understand enterprise Relational Database Management Systems (RDBMS). (IT 350)
• Capable of using statistics to determine errors in hardware utilization. (Stats 221)

Outcomes

• Know and understand the Information Assurance and Security (IAS) components and their functions that comprise the three interactive dimensions of the MSR Cube (Maconachy, Schou and Ragsdale) IAS model:
  1. Technology, Policy & Procedure, and People
  2. Maintaining or providing Availability, Integrity, Authentication, Confidentiality and Non-Repudiation, for
  3. the Transmission, Storage and Processing of Information.
• Demonstrate an understanding of symmetric, and assymetric cryptography encryption, decryption and digital signatures as implemented on
  1. MS 2003 Server
  2. PGP
  3. Linux Open Source
• Determine, by experimentation, current applicability of fingerprint and iris biometrics.
• Prepare and deliver a fifty-minute lecture on an assigned DPIMIT topic.
• Demonstrate an uderstanding of national and international legislation on:
  1. Data Privacy
  2. Identity Theft
• Demonstrate an understanding of the data privacy risks created by malware , web parasites, and inadequate system and application security technology by writing a lab report on the topic.
• As a team project develop a model of an RDBMS that resolves data privacy issues in keeping with the European Union Directive on Data Privacy for ownership and access privileges.
• Demonstrate the distinction between LDAP and an RDBMS and their respective limitations for Identity Management purposes.
• Develop an appreciation through lecture, homework, labs and project assignments of the value of continued learning on new topics that promote life-long learning disciplines.
• Learn to weigh the ethical implications of giving proper attribution, honoring the intellectual property of others and respecting licensing laws.

Laboratory projects: DPIMIT is learned by doing.   Labs are a fundamental component in this learning process.   Ten laboratory assignments are structured for the course, several of which are team efforts.

Laboratory topics (topics do not necessarily correspond to individual lab exercises):

• Configure Active Directory with a focus on Group Policy Objects and create and demonstrate Active Control Lists and their role in authentication.
• Install and Configure Exchange 2003 e-mail server, Exchange System Manager (EMS), Internet Information Service 6.0 (IIS), and a Certificate Authority on a domain controller in the IT domain requiring use of Secure Socket Layer (SSL).   Have it issue certificates to workstations and generate an operational SSL certificate.
• Install a digital certificate on a token that can be used for personal identity authentication. A team project.
• Install and configure an Open Source Certification Authority on Linux and issue both an SSL and a personal certificate.
• Use a fingerprint biometric device for personal authentication and reveal the parameters that the vendor captures for creating a fingerprint template using Nathan Green's thesis referenced above.
• Use an iris scan biometric device for personal authentication.
• Use NetID and password via an LDAP Interface to gain access to a web project.
• Use a fingerprint biometric and MySQL to authenticate personal access using NetID to gain access to a web project. This requires an enrollment process to securely store and encrypt NetID and its associated password. A team project.
• Develop a model of an RDBMS that resolves data privacy issues in keeping with the European Union Directive on Data Privacy for ownership and access privileges of data. A team project.

 

Laboratory Equipment: Computer Equipment used: Computer with administrative access. Multiple OS installations (Windows, Linux, VMware). Routers, switches, IT
Sandbox, ITSecLab and IAS Lab equipment.

Written and oral communication requirements: Students will record all labs in lab reports. Students will analyze results of labs and report on them in lab reports. Reports will be evaluated for both technical content and writing quality. Students will do oral and written presentations on lab projects.

Homework Assignments : There are ten homework assignments that are hands-on hacking and malware exercises taken from the textbooks.

Math Analysis: Statistics

Library or other Research Projects: Team participation in the preparation of one DPIMDT lecture topic of 50 minutes.

Life-long learning experiences: Students will identify several key publications (on-line or paper) which discuss new technical developments in DPIMIT. They will select and report on one article from one of these publications. Student groups will independently research an assigned topic in DPIMIT and teach it to the class as part of their assigned lecture.

Prepared By: G. W. Romney

Date Revised: June 2005