Towson University
AIT 610.103
IT Systems Analysis and Design
And Operating Systems Security
Towson University
Spring 2006

Professor Randall K Nichols

Office: 
Carlisle, PA
Availability: 
10:00AM - 3:00AM EST (email or phone)
Office Phone: 
717-258-5693
Mobile Phone: 
 717-329-9836
E-Mail: 
profrknichols@comcast.net
Course Website: 
www.infosec-technologies.com
Classroom: 
 See CSC security check-in desk for room assignment
Class Times: 
 1730 – 2045, Thursdays (CSC)
Class Dates: 
 2/02/2006 to 4/27/2006; Final Team Project due 5/4/2006
5/2005
Prerequisites: 
 CAIT Core Course, Pre/co-requisite AIT 600

Textbooks
1) Dennis, Alan and Barbara Haley Wixom, Systems Analysis and Design, Second Edition, John Wiley & Sons, Inc., 2003. ISBN: 0-471073229 [SAD]

2) Michael Palmer, Guide To Operating Systems Security, Thompson Course Technology, 2004. ISBN: 0-619-16040-3 [OS]

Learning Objectives

There is a lot of reading and in-class participation required for this course. Don’t get behind! We will integrate two main themes/ goals for this course:

  1. We will investigate SAD. SAD is a discussion of the software development life cycle (SDLC), requirements analysis, verification and validation, design issues, development tools and methods, modeling techniques, quality assurance and implementation strategies, performance measurements and strengths.
  2. Security of IT systems is too important to be separated from Systems Analysis and Design (SAD). We will seek to have a fundamental understanding of operating systems security principles and implementation. We will learn about technologies used and principles involved in creating a secure computer networking environment. A broad range of security topologies, technologies and concepts will be discussed

Course Skills/Outcomes

This course provides an introduction to analyzing various types of systems with the emphasis on information systems. There are four major aspects to this course:

  • The first aspect is determining what systems to pursue and developing the business justifications for the system. This includes problem identification and scope.
  • The second aspect is learning how to gather the information required to develop the new system. This includes questionnaire, interviews, document analysis, etc.
  • The third aspect is documenting the gathered information into standard formats used in system analysis such as Use Cases and Class Diagrams.
  • The fourth aspect is integrating due diligence security into the SAD process.

Web Site

A wealth of supplementary information for our course is available at www.infosec-technologies.com. Material downloaded must be appropriately attributed to contributors in all team / individual papers.

E-Mail

All students are requested to obtain an e-mail account that can receive a lot of Mail (PPTs, notes, etc). If you have any questions about the course or need assistance, please contact me in person or by telephone during office hours; or by e-mail at any time. About mid-semester, I will send out a confidential “1 to 1” email to check on the progress of each student. Response is optional.

COURSE DELIVERABLES

The course deliverables are as follows:

Exams. There will be no formal midterm or final exam.

In-Class / Take- Home Assignments. There are three In-Class Team / Individual assignments scheduled. There will be three case studies assigned for team briefing (1-2 "pager" to distribute to class.)

Asymmetric Project Presentation. A team produced Asymmetric Project PowerPoint presentation will be due at mid-term. Consider it a warm-up for the collaborative team paper/presentation without the required paper due at the same time.

Collaborative Team Research Paper / PowerPoint Presentation. A semester-long team research paper and PowerPoint presentation is required. Be advised, this is not a project to wait for the last moment to prepare. It is very competitive and teams should organize on first class meeting, pick a team leader and assess strengths and weaknesses of its membership. Everyone on the team receives the same grade (subject to the P-2-P process, if invoked). Sink or swim.

Participation. Students are expected to prepare for each class meeting and participate in the homework discussion conferences. Questions based on the weekly lecturettes and assigned text readings require students to contribute regularly. A rubric for participation is available as a benchmark.

Bullets. Students will prepare short Bullets on current items pertaining to this course (URLS, 30 - 60 second summaries of current security events, interesting IT/ INFOSEC finds, etc. or webliography items REGULARLY. Virus bullets (and AV product news) do not count. Duplicate bullets do not count. Bullet participation is generally a grade differentiator on participation.

There are quality bullets and there are not so quality ones. There are A-bullets which go right to the gradebook in your favor. There are 2 conditions I look for in addition to the quality of Bullets: 1) currency [bullets should be not more than 7-days old or if older, need to be updated with a current reference on the same subject]and 2) bullets about viruses or malicious software in any form, including spyware, bots, web bugs, Trojans, worms, computer programs to stop them, script kiddies, AV company information, new marketing program signatures or even legal stuff about them are boring information and should be avoided, like poison. There are literally hundreds of security events happening around the world; INFOSEC newsletters, newspapers, formal /informal initiatives, CT resources that provide raw high-grade material for bullets. Information about new approaches to IT architecture Open or supported software, NIST standards or best practices are all fuel for good quality bullets.

The instructor reserves the right to make changes to this syllabus at any time.

GRADING:

The final grade will be determined as follows:

Special Asymmetric Project-- 25%
Group Research Paper and PowerPoint Presentation-- 45%
Participation / In-Class Team / Individual Assignments / Case Studies-- 15%
Bullets -- regular submissions of "Bullets" or webliography are required -- 15%

Teams may elect to use a peer-to-peer evaluation process in which team members evaluate (or mirror) the performance and participation of their teammates but not their own. Multiple negative “P-2-P’s” may negatively affect an individual’s grade by up to 20%. P-2-P's are held confidential and recorded. A special XLS formatted sheet will be given to team leaders.

GRADUATE SCHOOL GRADING GUIDELINES:

According to Graduate School grading policy, the following symbols are used: A = excellent; B = good; C = passing; and F = failure.

The grade of B represents the benchmark for the Graduate School. It indicates that the student has demonstrated competency in the subject matter of the course, e.g., has fulfilled all course requirements on time, has a clear grasp of the full range of course materials and concepts, and is able to present and apply these materials and concepts in clear, well-reasoned, well-organized, and grammatically correct responses, whether written or oral.

Only students who fully meet this standard and, in addition, demonstrate exceptional comprehension and application of the course subject matter earn a grade of A.

Students who do not meet the benchmark standard of competency fall within the C range or lower. They, in effect, have not met graduate level standards. Where this failure is substantial, they can earn an F.

WRITING STANDARDS:

Effective managers, leaders, and teachers are also effective communicators. Written communication is an important element of the total communication process. The Graduate School recognizes and expects exemplary writing to be the norm for course work. To this end, all papers, individual and group, must demonstrate graduate level writing and comply with the format requirements of the Publication Manual of the American Psychological Association, (5th Edition). Careful attention should be given to spelling, punctuation, source citations, references, and the presentation of tables and figures. It is expected that all course work will be presented on time and error free. Work submitted online should follow standard procedures for formatting and citations.

Timeliness It is expected that all course work will be presented on time and error free. Work submitted online should follow standard procedures for formatting and citations.

POLICY ON ACADEMIC INTEGRITY AND PLAGIARISM:

Academic integrity is central to the learning and teaching process. Students are expected to conduct themselves in a manner that will contribute to the maintenance of academic integrity by making all reasonable efforts to prevent the occurrence of academic dishonesty. Academic dishonesty includes, but is not limited to, obtaining or giving aid on an examination, having unauthorized prior knowledge of an examination, doing work for another student, and plagiarism of all types.

Plagiarism is the intentional or unintentional presentation of another person’s idea or product as ones own. Plagiarism includes, but is not limited to, the following: copying verbatim all or part of another’s written work; using phrases, charts, figures, illustrations, or mathematical or scientific solutions without citing the source; paraphrasing ideas, conclusions, or research without citing the source; and using all or part of a literary plot, poem, film, musical score, or other artistic product without attributing the work to its creator. Students can avoid unintentional plagiarism by following carefully accepted scholarly practices. Notes taken for papers and research projects should accurately record sources to material to be cited, quoted, paraphrased, or summarized, and papers should acknowledge these sources. The penalties for plagiarism include a zero or a grade of F on the work in question, a grade of F in the course, suspension with a file letter, suspension with a transcript notation, or expulsion. Students may learn more about Towson University’s formal policies at: https://inside.towson.edu/generalcampus/tupolicies/index.cfm

DISABILITIES

Any student who needs an accommodation due to a disability should make an appointment to discuss the accommodation. A memo from Disability Support Services authorizing the accommodation is required.

COURSE EVALUATIONS

Feedback on each graduate course and instructor is important to the university, your professor, and to all students. Towson has the responsibility to assess the effectiveness of classroom instruction, and each student has the responsibility to provide accurate and timely feedback through completion of the course evaluation form. This is a shared obligation for us all. It is therefore important that you complete the evaluation form for each course. This should be viewed as an additional course and program requirement.

Course Schedule
Week
Topics
Chapter Readings
(week after class)
Hands-On
Projects / Class
Exercises
Due Date
Week 1

Syllabus
Administrative
Expectations

TEAMS FORMATION
& Topic Selections for Final
Midterm &
Case Study Requirements
-------------------
SAD Process Overview

Security Overview

SAD Ch 1 Intro to Systems Development Life Cycle

OS Ch 1 Security Overview- Keeping computers secure

In class exercise
NASA exercise
TEAM Building

Bullets


Week 2

Project Initiation

Malicious Code

SAD Ch 2 Project Initiation

OS Ch. 2 Malicious Code

 In class exercise- Asymmetric Thinking

Bullets


Week 3

Project Management

Encryption and Authentication

SAD Ch 3 Project Management

OS Ch 3 Encryption and Authentication

 Ryan 30 Elements
For SE

Bullets

Case Study 1

Week 4

Requirements Definition

SAD Ch 4 Requirements Def

Bullets

Week 5

Processing Modeling

File, Director, and Shared Resources Security

SAD Ch 6 Process Modeling ( Chapter 5 optional)

OS Ch. 5 Web Security

 Bullets  
Week 6

Data Modeling

Firewalls and Border Security

SAD Ch 7 Data Modeling

OS Ch 6 Firewalls and Border Security

 Bullets  
Week 7

Project



Asymmetric Project Presentations
Week 8

Systems Design

Network Topology Defenses

SAD Ch 8 Systems Design

OS Ch 8 & 9 Network Topology Defenses

 Bullets Case Study 2
Week 9

Architecture Design

SAD Ch 9 Architecture Design

Bullets

Partial Team Day

  
Week 10

User Interface Design

SAD Ch 10 User Interface Design

 Asymmetric exercise (in-class)

Bullets

 
Week 11

Database Design

Wireless Security

SAD Ch 11 Database Design

OS Ch 10 Wireless considerations *

 Bullets

Trust Me Presentation*


Week 12

Program Design

Web, Remote security

 SAD Ch 12 Program design

OS Ch 11 Web, Remote security

Bullets


 Case Study 3
Week 13 Construction & Installation

Email security

 SAD Ch 13 &14

OS Ch12 Email

 Bullets  
Week 14 Wrap-Up
 TEAM DAY Bullets  
Week 15 FINAL TEAM Paper
FINAL TEAM Presentations
Good Luck!
Breathe Again. 		    Good Luck!
Breathe Again.
Team A/D Counter -Terrorism Scenarios

Computers at there best! Putting it all together.
NB: Some material will be taken from Randall K Nichols and Panos C Lekkas, Wireless security, Models Threats, Solutions, McGraw Hill, 2003, ISBN: 0-07-138038-8. (On reserved readings.)

RESERVED READINGS

Some material will be taken from Randall K Nichols and Panos C Lekkas, Wireless security, Models Threats, Solutions, McGraw Hill, 2003, ISBN: 0-07-138038-8.

REFERENCES

Adelman, G.E. (2003) The Myth of Little Round Top, Gettysburg PA. Gettysburg, PA: Thomas.

Afyouni, H.A. (2006) Database Security and Auditing: Protecting Data Integrity and Accessibility. Boston: Thomson Course Technology.

Britton, C. & Bye, P. (2004) IT Architecture and Middleware: Strategies for Building Large Integrated Systems, 2nd Ed. New York: Addison Wesley.

Campbell, P., Calvert, B., & Boswell, S. (2003) Cisco Learning Institute, Security+ Guide to Network Security Fundamentals. Boston: Thomson Course Technology.
Canavan, J. E. (2001) Fundamentals of Network Security. Boston: Artech House.

Ciampa, M. (2004) Security Awareness: Applying Practical Security in your World. Boston: Thomson Course Technology.

Curts, R.J. & Campbell, D.E. (2003). Building a Global Information Assurance Program. New York: Auerbach.

Harman, T.D. (2003) Lee’s Real Plan at Gettysburg. Mechanicsburg, PA: Stackpole Books.

Hall, W. M. (2003). Stray Voltage: War in the information age. Annapolis, MD: Naval Institute Press.

Holden, G. (2004) Guide to Firewalls and Network Security. Boston: Thomson Course Technology.

Holden, G. (2003) Guide to Network Defense and Countermeasures. Boston: Thomson Course Technology.

Erbschloe, M. (2003) Disaster Recovery. Boston: Thomson Course Technology.

Evers, D., Miller, M. & Glover, T. (2005) Pocket Partner, 4th Ed. Littleton, CO: Sequoia.

Nichols R. K, Ryan, D. J., & Ryan, JCH. (2002) Defending your Digital Assets, Against Hackers, Crackers, Spies and Thieves, McGraw-Hill.

Nichols, R.K. & Lekkas, P. C. (2002). Wireless Security: Models, Threats, Solutions. New York, NY: McGraw Hill.

Northcutt, S., Zeltser, L, Winters, S., Frederick, K.K., & Ritchey, R.W. (2003) Network Perimeter Security. Boston: New Riders. [See chapters 14-16]

Palmer, M. (2004) Guide to Operating Systems. Boston: Thomson Course Technology.

Parker, T., et. al. (2004). Cyber Adversary Characterization. Rockland, MD: Syngress.

Rattray, G. J. (2001). Strategic Warfare in Cyberspace. London: MIT Press.

Schneier, B. (2003) Beyond Fear: Thinking Sensibly About Security in an Uncertain World, New York: Copernicus.

Schwartau, W. (1996) Information Warfare: CyberTerrorism: Protecting Your Personal Security in the Electronic Age. New York: Thunder's Mouth Press.

Whitman, M.E. & Mattord, H.J. (2004) Management of Information Security. Boston: Thomson Course Technology.

Yourdon, E. (2002). Byte wars: The impact of September 11 on information technology. Upper Saddle River, NJ: Prentice Hall.