B20.3157, Computer & Network Security

March 25-May 6, 2002
6 pm - 8:50 pm

DRAFT SYLLABUS

Professors

Patrick McDaniel
Email:pdmcdan@research.att.com
Web: http://www.pdmcdan.com/
Phone: 973-360-5721
Office hours: by appointment

Lorrie Cranor
Email: lorrie@acm.org
Web: http://lorrie.cranor.org/
Phone: 973-360-8607
Office hours: by appointment

Class web site

TBA

Course description

As enterprises become increasingly reliant on electronic media and communication, the protection of data and electronic infrastructure becomes critically important. Incidences of security failures in commercial and non-commercial environments are increasing in number an severity. Hence, it is essential that enterprises continually develop and refine security strategies that reflect the changing uses of information technology.

This course introduces basic concepts of computer and network security, with an emphasis on the threats and countermeasures relevant to Internet and web services. Students will be prepared to evaluate the security needs of organizations, and to develop strategies to address these needs. The requirements and design of security technologies will be reviewed and case studies presented.

Required texts

White-Hat Security Arsenal, Rubin, Addison-Wesley, 2001.

Web Security, Privacy & Commerce, Grarfinkel and Spafford, O'Reilly, 2002.

Lecture outline

Note: this is subject to change. The class web site will have the most recent version of this syllabus. Additional readings will be handed out in class or made available online. Please do each reading assignment before you come to class -- this includes the reading assignments for the first class!

1. (3/25) What is security?: definitions; cryptography; threat models; trust; Readings: Rubin chapters 1, 2; Garfinkel and Spafford chapters 1, 3
2. (4/1) Web site security: SSL; authentication; PKI; Readings: Rubin chapter 12; Garfinkel and Spafford chapters 5-7
3. (4/8) Website Security (cont.), Electronic commerce: Java, servlets; dynamic content; secure payments; micropayments; Readings: Garfinkel and Spafford 13, 15, 16, 25
4. (4/15) Internet security: email systems; instant messaging; viruses and worms; secure data storage; Readings: Rubin chapters 3-5; Garfinkel and Spafford 9, 10
5. (4/22) Firewalls and Network Security: Internet basics; Layering (network, transport, or application layers); Protocols (TCP/IP HTTP); IPsec; VPNs; Readings: Rubin chapters 1, 2, 8; Garfinkel and Spafford 2, external readings (assigned in previous class).
6. (4/29) Wrapup, Emerging Issues and Social Implications: Physical security; Subculture of hackers; press coverage of security issues (spin); privacy vs. security?; Readings: Rubin chapters 6; Garfinkel and Spafford 14, external readings (assigned in previous class).
7. (5/6) Final exam and project presentations

Course requirements and grading

This class meets for only seven sessions; therefore it is critical that students attend every session. Students who miss more than one class will find it very difficult to receive a passing grade. If you must miss a class, please submit any homework assignments prior to class via email.

There will be a reading assignment and homework questions due every week, which will account for 40% of your grade. There will be a group project that will account for 25% of your grade. There will be a final exam that will account for 25% of your grade. The remaining 10% of your grade will be based on attendance and participation in class and on the class discussion list.

A class mailing list will be setup for announcements, questions, and further discussion of topics discussed in class. Students will be expected to contribute to mailing list discussions. Students should post (non-personal) course-related questions to this mailing list rather than sending them to the instructors directly. Students are encouraged to post course-related items of interest to this mailing list.