Instructor: Associate Professor, Randall K Nichols
Office: Hubbard B-4
Email: rnichols@utica.edu
Phone: 315-223-2501
Mobile: 717-329-9836
Office Hours: 10:30AM – 10:00 PM EST
Website: www.infosec-technologies.com

Instructor Website A wealth of supplementary information for our course is available at www.infosec-technologies.com. Material downloaded must be appropriately attributed to contributors in all team / individual papers.

Textbooks and instructional resources

Required

1. Information Security (Protecting the Global Enterprise), Donald L. Pipkin,
   Prentice Hall, 2000.
2. Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Bruce Schneier, Copernicus, 2003.

Course Description

Introduces core concepts and techniques of information security. Includes the identification and application of information risk management models. Traces the entire life cycle of information systems security planning, evaluation, risk assessment, security architectures, incident detection, and responses to vulnerabilities and threats. Introduces legal, ethical, and business issues that motivate and constrain the definition and implementation of information security management systems. Addresses software system vulnerabilities, software security (including trusted software), alternative countermeasures, policy, cryptography, and attack trends. Introduces techniques for measuring status/progress in delivering secure systems. Course will emphasize current information risk management needs, techniques, and challenges from both business and technical perspectives through active discussion, individual project research, assigned homework, and special activities. Our course will stress asymmetric thinking principles to engage better security solutions. {I have included a few of my personal thoughts on asymmetric thinking, terrorism, and fear at the end of this document.}

Prerequisites

• None. However, ability to think creatively / asymmetrically; ability not to sleep more than 4 hours at night; ability to work well in team format; basic survival skills and shielding against (FBD) Fire, all help.

Objectives / Learning Outcomes

• Understand the basic concepts of information risk management.
• Understand the steps required for assessment of information systems vulnerabilities, threats, and risk estimation.
• Understand the importance of policy specification, user awareness, and process standards in a program for system security.
• Know how to prepare an information systems security program.
• Understand techniques for measuring the effectiveness of an information security program.
• Know how legal, ethical, and business issues can shape an information security program.
• Understand the basic concepts of secure software, especially trusted system design.
• Understand basic concepts of cryptography, web and database security, forensics, and physical security.
• Understand the methods for intrusion detection and response.
• Understand the current threat posture, and demonstrate an awareness of the likely evolution of security threats, regulations, and countermeasures.
• Use the Internet to locate information security information, recommendations, tools, and case studies.

Bullets

Students will prepare short two current Bullets per session minimum, on current items pertaining to this course: URLS, 30 second summaries of current security events, interesting Risk Analysis/ Computer Forensics / Intrusion Detection / INFOSEC finds, etc. or Webliography items each week. Students may also choose to add to the Webliography interesting URLS that dovetail with the material in this class. Bullets are grade differentiators on participation. There are only three rules governing bullets: 1) they can not be over 7 days old, 2) they can not repeat / duplicate another persons bullet and 3) Anti-Virus related bullets; or AV new /old product information; or AV marketing material; or company strategic AV roll-out plans; or risks associated with not having AV software deployed; or any news item relating to AV are unacceptable in any form and to be considered poison to your grade.

Student Team Research PPT and Midterm Challenge

I believe that teamwork facilitates research and better learning. Both the Midterm and Final are team efforts. The primary deliverables for this course are the Team A/D PPT Presentation on one of eight assigned A/D Scenarios and the Midterm PPT on one of three Midterm challenges. Teams will present their PowerPoint presentations in Class. Every member must contribute to the PPT and be part of the presentation to the class.

MIDTERM

All teams will solve the Midterm project (FUJI challenge or ONE of the Draconian challenges) and competitively present their PowerPoint solutions in class. There is no Midterm paper required. Each team will present a PowerPoint Presentation of approximately 50-75 slides to demonstrate their research to the class. There is no maximum number of slides.

FINAL

For the Final, student teams will perform research on a specific Attack / Defense terrorism scenario and present results to class. (See Appendix B for the Midterm choices and Appendix C for A/D terrorism scenario team choices.) The Team Research PPT is a hypothetical but complete Asymmetric Attack and Defense developed scenario on an enterprise network target. Special emphasis must be made on the Risk Assessment (Impact, Vulnerabilities, Threats, and Cryptographic / ID countermeasures) used for defense purposes. Equal weight must be addressed by teams for both attack and defense preparations. A special 2-3 page After Action Report must be included to summarize the team’s evaluation of the success and plausibility of both the attack and the defense. Teams will hand AARs to the class before their presentations.

I look at the collaborative finals closely, checking references, spelling, flow, clarity, organization, problem solution, and strength of attack versus defense scenarios, PowerPoint Presentation of team ideas. Think of yourself as giving a briefing before the National Security Advisor of Cabinet Secretary. Be sure to have Title page, Summary, A/D scenarios Mapped out, Conclusion and After-Action Report Section (with appropriate references and appendices in place). The latter is your team’s judgment of the success and failure of the A/D described. One last thought: references must not be skewed to the web only mode - hard references, interviews, photography, cartography and interviews are all pluses. Team leaders: this is the "big bang for your buck ticket item." Be sure you personally look at the final submission closely for flow. When ready, please submit as a created main item under the final conference on Blackboard.

Each team will present a PowerPoint Presentation of approximately 50-75 slides to demonstrate their research to the class. There is no maximum number of slides.

Midterm Team Project – Choose Fuji Challenge or ONE of the two Draconian Challenges

Regarding Fuji: There is no outline or paper due for Fuji, just the PowerPoint presentation. There are two catches on Fuji: first, read the problem and think asymmetrically. Second, there are a lot of issues that can be addressed logistically, communications, tracking devices, warehousing, secrecy, personnel etc, so prioritize your responses as to their importance (if necessary, you can use more slides to prove your points), but the minimum is 50, regardless of team size. There is no maximum. It is not necessary to cover everything. The project is by definition huge and will require significant resources if it were real. So, choose how you will communicate with the trucks, your HQ, the barges and personnel and what devices you may want to use to solve the problem. Think of the network that would be required and the sensitivity of the data. Then concern yourselves with the computer security, risk assessment process, intrusion detection and computer forensics for the security policy. Have fun with this one. (See: Appendix C for the Fuji Challenge.) Alien transformations and treaty readjustment solutions (or any solution that bypasses the fundamental Information Security issues) are clever but unacceptable.

The Draconian challenges revolve around modern information technology and a special “bracelet” being used by King Dracos (originally of Athens 651BC) but transformed to the 20th century. Either of the Draconian challenges may be substituted for Fuji. Concentrate on the Information Assurance, Threats, Vulnerabilities, Impact, Countermeasures and Risk Assessment issues ONLY.

Project 1 – PGP: Cryptography and Authentication

Each student will download and install a free, non-commercial single-use copy of PGP version 6.5.8 from www.infosec-technologies.com OR make a copy of the free PGP version 6.5.8 from the instructor. Follow instructions in the Appendix A: Robust PGP Instructions. Do not send your keys to the MIT Certserver, as I will act as the class-certifying agent. MIT no longer services PGP keys. This is one of the few individual projects assigned in my class. Do not use other versions of PGP because they are not free and they have removed some of the best features found in Version 6.5.8.

Project 2 – Security Risk Assessment

Each Team will complete a security risk assessment for a hypothetical company, following the guidelines provided by the instructor. (See Appendix D for example Security Assessment Problem.)

Project 3 - Security Lab Project

Each student will select a freeware information security tool, install it in the lab, and run it (creating any input data as necessary). In a 10 slide PowerPoint briefing,

• Describe the tool,
• Demonstrate /display its output,
• Present a (hypothetical) system configuration diagram where the placement and/or application of the product is shown,
• And give your opinion of the value and importance of both the function the product (claims to) provide, and the product itself.

Examples of freeware tools include l0phtcrack, crack, john the ripper, coroner's toolkit, tripwire, md5, snort, nessus, COPS, SAINT, SATAN, Moosecrypt, any of the many steg tools, encase, and TIGER. Additionally, there are freeware versions of a number of "risk assessment" methodologies and tools (e.g., ASSET). Consult www.infosec-technologies.com for many, many ideas on ID/ CF /RA / cryptographic tools.

Team Emphasis Note, in my classes; there is a significant emphasis on teamwork. Choose your teammates and team leader carefully. Information security / Forensics Investigation challenges are handled well through teamwork and joint knowledge.

More On Teams Regarding team formations: First you choose your midterm
Project and Final Project. Every team investigates both sides of the analysis (the Attack & Defense) (good guy and bad guy –two POVs). Teams collaborate to decide who wants to do the attack side and who wants to do the defense side. It is up to the team (and TEAM LEADER) who performs what function on the problem. You work together and separately. At the end of the preparations, you come together and share what happened, report it in PPTs and in the AAR.

TEAMS are SELF- DIRECTED and SELF-POLICEING.

The Team Captain coordinates the projects, is responsible for the presentations and / or papers due, resolves differences, encourages participation, facilitates and checks for spelling, and writing flow of the resulting work, insures that best work is produced. Team Captains are the liaison with me and I fully support his/her actions.

The Team Captain is in charge and is responsible for the delivery of the assignments. It is incumbent and responsibility of the teams to support the person they chose. Frankly, the team grade depends on it. Be professional. Let your team captain know if you are going to miss a class or be late on a team assignment. This way someone on your team can cover for you. Team Captains are directly to the instructor.

The bad guys (the Attack side of A/D) are tasked with breaching the security of the information assets and overriding the countermeasures applied to reduce risk. They have time and flexibility on their side.

The good guys (the Defense side of the A/D) are not stupid. They must also have a plan to protect their information assets. Use cryptography or Steganography if you like. Set Malware traps, set hardware traps, prevent the viewing of data, hide files, put in spiders and self-destroys. Set up firewalls, VPNs, enterprise IDS, biometrics, and anything you think will stop the attacks. The cleverer the security plan, the tougher the attack team will have to work. Consider which tools / technologies are important.

The third part of the analysis is the AAR or After Action Report (generally 3-4 slides) is where the team as whole collaborates on the effectiveness of the security. They compare notes. They share findings, tools, and details. They present their JOINT conclusions on what part of the attack(s) worked and what didn't. Lastly, mitigation (if possible) of those differences is presented in one – two slides.

All team-members earn the SAME grade subject to the P2P evaluations procedure discussed below.

Course Policies and Procedures

Grading: According to Utica College standard grading scale and policy: A 93-100;
A- 90-92.9; B+ 88-89.9; B 83-87.9; C+ 78-79.9; C 73-77.9; C- 70-72.9; D+ 68-69.9; D 63-67.9; D- 60-62.9; and F 0-59.

The grade range of B represents the benchmark for this class. It indicates that the student (or team) has demonstrated competency in the subject matter of the course, e.g., has fulfilled all course requirements on time, has a clear grasp of the full range of course materials and concepts, and is able to present and apply these materials and concepts in clear, well-reasoned, well-organized, and grammatically correct responses, whether written or oral.

Writing Standards Effective managers, leaders, and teachers are also effective communicators. Written communication is an important element of the total communication process. Utica College recognizes and expects exemplary writing to be the norm for course work. To this end, all papers, individual and group, must demonstrate graduate level writing and comply with the format requirements of the Publication Manual of the American Psychological Association, (5th Edition) or www.apastyle.org. Careful attention should be given to spelling, punctuation, source citations, references, and the presentation of tables and figures. Other resources are: The Elements of Style (Strunk and White), 100 Ways to Improve Your Writing (Provost) and the Utica College Writing Center at Hubbard Hall, Room 216.

Timeliness It is expected that all course work will be presented on time and error free. Work submitted online should follow standard procedures for formatting and citations. Since most of our class work is performed in team format, students have a responsibility to their team and this class. They must make arrangements with the team leader for missed participation. Except for military service, verifiable medical leave or bereavement leave, there will not be any late grading.

Students should respect the learning atmosphere of others by not coming in late or leaving early.

Academic Integrity and Plagiarism Academic integrity is central to the learning and teaching process. Students are expected to conduct themselves in a manner that will contribute to the maintenance of academic integrity by making all reasonable efforts to prevent the occurrence of academic dishonesty. Academic dishonesty includes, but is not limited to, obtaining or giving aid (electronically or in person) on an examination, having unauthorized prior knowledge of an examination, doing work for another student, and plagiarism of all types.

Plagiarism is the intentional or unintentional presentation of another person’s idea or product as ones own. Plagiarism includes, but is not limited to, the following: copying verbatim all or part of another’s written work; using phrases, charts, figures, illustrations, or mathematical or scientific solutions without citing the source; paraphrasing ideas, conclusions, or research without citing the source; and using all or part of a literary plot, poem, film, musical score, or other artistic product without attributing the work to its creator. Students can avoid unintentional plagiarism by following carefully accepted scholarly practices. Notes taken for papers and research projects should accurately record sources to material to be cited, quoted, paraphrased, or summarized, and papers should acknowledge these sources. The penalties for plagiarism or intentional cheating include a zero or a grade of F on the work in question, a grade of F in the course, suspension with a file letter, suspension with a transcript notation, or expulsion. Students may learn more about Utica College’s formal policies at: http://www.utica.edu/academic/catalog/academicregulations.pdf

Disabilities Any student who needs an accommodation due to a disability should make an appointment to discuss the accommodation. A memo from the Coordinator of Learning Services authorizing the accommodation is required (Kateri Henkel, khenkel@utica.edu, 315-792-3032).

Course Evaluations Feedback on each undergraduate course and instructor is important to the College, your professor, and to all students. Utica College has the responsibility to assess the effectiveness of classroom instruction, and each student has the responsibility to provide accurate and timely feedback through completion of the course evaluation form.

Email Messages Please remember to put [CRJ 362] in the Subject of every email. In my online courses, the volume of email and attachments is significant.

Attendance Class attendance will be recorded in random classes during the semester. Unexcused attendance(s) affects negatively both your individual participation grade and your team’s performance. Those involved in sports please contact your respective coaches to provide me a written schedule for practice sessions and games so that you do not get marked absent.

P2P Team Evaluations and Performance 80% of our course is Team-Based. Further, the mid-term and final projects are very asymmetric. There is no book or reference or “quick-guide” or URL that has the specific answers. The goal is to present a reasonable and logical team-solution to a difficult (even unusual) assignment based on best information security practices and technologies gleaned from your research and our class materials. Your grade is determined by how well your team accomplishes this goal working collaboratively. We think, learn, evaluate, problem-solve, generate ideas and possibilities and write better as a team. Research confirms that teams consistently out-perform the “star” individualist. This is real world. Information assurance issues in organizations are rarely assigned to one person – regardless of how strong or technically adept that he/she is. They solve the big problems in real time, team format, with collaborative working sessions.

Over my career, I have found that teams work effectively – most of the time. In general, all team-members receive the same grade on exams and projects. This policy is subject to the P2P (peer-to-peer) team evaluation process. When a team does not interact well as a team or one member intentionally does not participate effectively, or when the team leader is at terrible odds with the team itself and refuses to be flexible or improve the “lens of understanding,” we have the P2P policy to fall back on. P2P’s may optionally submitted (for the semester) by any team or team member within one week after the final project/exam. P2P’s are strictly confidential and I maintain these records for many years. Students are subject to an individual grade penalty of up to 20% of their grade if their overall performance is found deficient by a majority of their team-members. The team keeps the score-card on itself. As a practical matter, I discourage the formal P2P process and encourage teams and team leaders to solve their own problems “in-house.” I will be glad to help and encourage positive results in our teams in every way I can before using the P2P disincentive. Students receiving a reduction of grade based on the P2P process will be notified by me in writing.

Cell / Picture Phones, Palm pilots and Pagers Turn off all your electronics before entering our class. These devices are enormously disturbing and rude to your fellow students and me. Frankly, We are more important! Use of these devices during class or especially during an exam, may earn you an F for the class session or on your test. Further, you will need to show cause why you should remain in my class for the balance of the semester.

Food The Golden Rule applies. Strive to leave the classroom in better shape than when you entered it. “Pay it forward”, it works!

Class Discussions We bring differing points of view to this class. Participation is not only encouraged but many times I will put a fire under the class to analyze issues with variety of perspectives. Be prepared to take the side of a brisk discussion (not argument or personal attacks) that is in conflict with your own. Challenge yourselves – especially when solving asymmetric team problems. Respect and professionalism are the operative guidelines for our discussions.

Extra Credit Work The punishment for good work is more work and respect. Extra credit assignments (limit one per student per semester) are available for students who enjoy individual achievement, want to learn more and are excited by the material as a possible vocation or sense that they need a few more points to improve their grade. I believe in the “pay it forward” principle. Extra credit assignments (worth up to one grade level) are designed to help my current and future students by developing accurate, current resource materials. Extra credit assignments must be completed on time to be valued. They do not replace any of the normal exams, asymmetric team work, assignments or case studies. “Extra” is the operative word.

Death March Team (DMT) Eligibility Students who maintain an A level average in this class may be invited to join the DMT. This is quite an honor. DMT represents a network of over 85 of my active working Graduate students from George Washington University, Towson University, University of Maryland University College, Tulane University, Capitol College, US Army, US Navy, USCG, USJCS, White House, DOD, DHS, FBI National Academy, NSA and major security organizations (SAIC, BAH, ASFT, Anteon, Credant Technologies) that collaboratively work on some fascinating short-term challenges. They evaluate new “beta” technologies, prepare presentations as a team to national conferences, provide speakers for local events, and critique each others papers. It is a network that helps each other find work in senior positions. We always attribute our work professionally; maintain a code of professional ethics and work to improve our profession. We are committed to each other’s professional success. Respect is our currency.

Disclaimers This course examines inter alia ethical and legal dimensions of on-line behavior. It is not intended to turn information technology professionals into lawyers. Many of the topics to be discussed will be concerned with the law and legal implications of certain behavior. Every effort is made to provide accurate and complete information. However, at no time during this course will legal advice be offered. Any student requiring legal advice, should seek services of a lawyer authorized to practice in the appropriate jurisdiction.

This class will explore technology and management issues related to elements of holistic information security. Specific technologies and techniques used by hackers, crackers, spies and thieves to obtain access to sensitive, private information are discussed and explored. Students are reminded that it is a violation of Federal and some state’s laws to attempt to gain unauthorized access to information assets or systems belonging to others, or to exceed authorized on systems to which they have been granted access. At no time in this class should any student violate either laws or confidences.

This class is not about pushing the envelope or hacking, and any violation of legal boundaries in the course of this class will be considered a violation of the class trust and will be subject to sanctions in grading.

Bibliography

Barnett, T.P.M. (2004). The Pentagon’s new map: War and peace in the twenty-first century. New York: Penguin Group.

Bidgoli H., Editor-in-Chief. (2006) Volume 1: Handbook of Information Security: Key Concepts, Infrastructure, Standards, and Protocols. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 2: Handbook of Information Security: Information Warfare; Social, Legal and International Issues; and Security Foundations. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 3: Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management. Hoboken, New Jersey: Wiley.

Campen, A.D., et. al. (1996) Cyberwar: Security, Strategy and Conflict in the Information Age, AFCEA.

Cordesman, A.H. (2002) Cyber-Threats, Information Warfare, and Critical Infrastructure Protection: Defending the U.S. Homeland. Westport Connecticut: CSIS publications.

Curts, R.J. & Campbell, D.E. (2003). Building a Global Information Assurance Program. New York: Auerbach.

Diamond, J. (2005). Collapse: How societies choose to fail or succeed. New York: Viking.

Dorothy, D. (1999) Defending the Nation: Information Warfare and Security. (Boston: ACM Press.

Evers, D., Miller, M. & Glover, T. (2005) Pocket Partner, 4th Ed. Littleton, CO: Sequoia.

Gordon, L. A. & Loeb, M. P. (2006) Managing Cyber-Security Resources: A Cost- Benefit Analysis. New York: McGraw Hill.

Hall, W. M. (2003). Stray Voltage: War in the information age. Annapolis, MD: Naval Institute Press.

Lewis, J.A. (December, 2002) Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats. Center for Strategic and International Studies, Washington, DC.

National Research Council, (2002). Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, Washington: National Academy Press, Washington.

Nichols R. K, Ryan, D. J., & Ryan, JCH. (2002) Defending your Digital Assets, Against Hackers, Crackers, Spies and Thieves, McGraw-Hill.

Nichols, R.K. & Lekkas, P. C. (2002). Wireless Security: Models, Threats, Solutions. New York, NY: McGraw Hill.

Parker, T., et. al. (2004). Cyber Adversary Characterization. Rockland, MD: Syngress.

Rattray, G. J. (2001). Strategic Warfare in Cyberspace. London: MIT Press.

Schneier, B. (2003). Beyond Fear: Thinking Sensibly about Security in an Uncertain World. New York: Copernicus.

Schwartau, W. (1996) Information Warfare: CyberTerrorism: Protecting Your Personal Security in the Electronic Age. New York: Thunder's Mouth Press.

Vatis, M.A. (September 22, 2001) Cyber Attacks During the War on Terrorism: A Predictive Analysis. Director, Institute for Security Technology Studies, Dartmouth College.

Verton, D. (2004) Black Ice: The Invisible Threat of Cyber-Terrorism, (ICE) San Francisco: Osborne.

Yourdon, E. (2002). Byte wars: The impact of September 11 on information technology. Upper Saddle River, NJ: Prentice Hall.

APPENDIX A
Robust PGP Instructions

Several of you are having success with the PGP project and others are need of some directions.

The PGP project is to introduce you to a working public key cryptosystem where material is in fact, kept confidential. I also want to have you understand the principles of robust authentication. We can do both with PGP.

1) Download the proper [platform & US location] PGP version 6.5.8 from www.infosec-technologies.com resources page (middle). The instructor can also provide single-use copies of the Version 6.5.8. Do not download newer versions of PGP as they do not have the same features, are not free and actually have less flexibility than the free version.

2) PGP sets up the correct plug-ins for your email. Accept them.

3) Create your public -private key pair. Use a minimum key bit length of 4096 and I suggest that you specify the Diffie-Hellman DSS version, as it works with all the current versions of PGP keys. Generate a key pair that identifies you and use an email address that can accept attachments. Do not expire your key for this class. You will learn that PGP expiration is not what it seems.

4) Choose a long pass phrase that has numbers and letters in it. PGP will generate the prime numbers associated with your keys.

5) Do not send your key to the cert-server because I will act as the certifying agent for the class and I want to be sure that all is correct before we do this. Once it reaches the cert-server, it is nearly impossible to correct a mistake. Especially when you see what we do in step #9! Further, MIT does not accept PGP keys anymore. Their Certserver service has been shutdown.

6) You will notice that your public keyring comes into view and suddenly you have a lot of keys! Using the shift key, highlight all of them in groups EXCEPT yours and Phil Zimmermann's out of respect to the inventor, and DELETE them. The delete function is under the EDIT tab. When you are done you will have your key with "road" markings on it.

7) Highlight your key and right click for PROPERTIES and see: A) that it is a CAST key. CAST is the default algorithm and is not acceptable in this class. See also that your public key has properties. Check the hexadecimal box and there you will see the FINGERPRINT that is unique to your key. The ID is related to your key on the PGP public and private rings. Close the window. Time to make the right key and understand the options.

8) Got to the edit tab. Use control T or click options.

General: click all 4 - "always encrypt, faster key, both caches and add a comment that describes you or your company or your class. Other options: File wiping Warn (yes) and change the number of wipes to 32! PGP is an excellent wiping system as well as a PKI cryptosystem.

Files: Leave these locations alone; you can change later but note where they are.

Email: use automatically decrypt, word wrap at 70, and sign by default (optional)

Hotkeys: Purge, and last two Encrypt / Decrypt and sign

Servers: DO NOT click on any of the below.

CA: skip that’s me for this exercise.

Advanced: Now we are ready. CHANGE the preferred algorithm to 3DES or IDEA, uncheck CAST, check Display marginal level; and warn not "Treat"; change export format to COMPLETE. Close the box. Time to regenerate your new key and destroy your old one, if required.

9) DELETE your old key. You will get two warning statements. Play through. Prepare a new key with 3DES or IDEA as a basis. Go to keys tab and click NEW and regenerate a new key pair. When done you should have yours and Phil's keys. Yours will be 3DES or IDEA based. Use properties to check it.

10) Highlight your key and right click and SIGN it. The signing box will come up. Go to more choices; use TRUSTED Introducer (no Domain). We will talk about this in class. Highlight your key and click ok. It will come up with a message already signed. I know this but I wanted you to see how to SIGN my key or other classmate’s keys. You can also use the right click and obtain the Signing key properties in Certificate form.

11) Note that you can be creative and add a photo or another name to your key.

12) Right click while highlighting and use EXPORT function. Place this in a file that you will create and keep your class keys and mine. You will use the Attachment command on your email program to pull from this location. Close PGP and save the back-up key rings to a safe place like a floppy or CDROM or somewhere that you can find them.

13) Send your key to me by email.

14) I will return your key (not if it is CAST) SIGNED by me. I will also send you my public key. When you receive them, IMPORT BOTH to your public ring. OPEN yours and you will see my signature.

15) Time to use your key to SIGN mine AND RETURN IT TO ME. Cryptography is a bi-functional authentication process. You can see your signature on my public key but not necessarily others on my public key. If you can’t see your own signature, use the “inside-outside” approach discussed in class.

16) We then will perform a second channel check using the fingerprints that you discovered in #7

17) We exchange messages in PGP. These may be done from inside the email client using the clipboard function or outside the email client using the tools function. Every email package is different so you may have to play with them a little. We will also test the Tempest option. Do not bypass the previous instructions because the authentication process will be lost. We will test the Secure Viewer option.

Appendix B-1
The Mount Fuji Security Policy Challenge

The Provincial Government of Japan (PGJ) has assigned your corporation a huge SECRET contract. You are hired to move, for environmental reasons, Mount Fuji (in mass) to North Sado Island. Your corporation will use physical local labor from the old Honshu region (farming is in real decline and many people are looking for work) and local sailors and stevedores from the Noto port region in the East. Fuji will be hauled truck by truck to the Port at Noto and shipped to Sado Island by barge. But, the PGJ has specified that you must use Gotaba Trucking Group in Chikugo in the old Kyushu region in the South of Japan.

Your team is to prepare the INFOSEC Security and RISK MANAGEMENT Policy for this project. Teams must focus on a full range of cryptographic and INFOSEC countermeasures available to protect the PGJ investment and your corporate image. Determine what is necessary to secure the enterprise computers from illegal activities or loss of secure information.

There are some problems that you must take into account. Remember there will be workers in many different places. Almost all communications will be by wireless means. Everybody will be moving, hauling, trucking, storing, shipping, unloading, and traveling. The workforce may reach 250,000 at its peak. Many unions (with different legacy systems in place) will be in play. Unions do not in general like restrictions on their members. They do not necessarily cooperate with each other. Be concerned with granting access for the hauling project. Mount Fuji is considered a living Monument and the work has been designated by the PGJ to be secret. The stevedores in the Noto region are a special problem and may require biometrically encrypted Passports and/or Visas. Prepare a cryptographic security policy that protects the PGJ in all three geographic areas of Japan affected and your corporation for this groundbreaking project.

Teams will prepare their responses in the form of a clever PowerPoint presentation of 50 slides or more. There is no paper requirement for this assignment. I have attached the 12th Century Japan map that I cooked up this exam from.

Appendix B-2
KING DRACOS Challenges – The Bracelet Solutions – Pick only One

The Bracelet – Problem I: Prisons

I want to welcome your team to our fair country, Draconia. My name is Richard Clarke. I am the Director of the Draconian Bureau of Prisons. We have invited your group to assist us and bid on a sensitive project to be implemented in our prison systems in 2007. It will help us control the prison population movements – especially the violent and repeat offenders. We have 40 prisons in Draconia housing 300,000 prisoners. These facilities are expensive to maintain and guards are underpaid and subject to bribery. About 10 percent of our prisoners have escaped, caused trouble in normal society, recaptured and returned to our prisons with longer sentences.

Your team will design a neck bracelet to be flexible enough to fit all our prisoners. It will have the ability to locate any prisoner, any place in our fair country (or world for that matter). The bracelet will have an explosive charge embedded into the device. It will send signals to a computer system to confirm the location of the prisoner. The bracelet cannot be removed or the charge will explode.

To eliminate the possibility of prison escape, the bracelet will be designed with two additional functions: 1) a yellow warning line will surround every prison facility or any restricted area in the prison. A prisoner crossing the yellow line will be severely shocked. A red terminal line will be placed ten feet further from the yellow line. A prisoner crossing the red line will trigger the explosive charge around his neck. The bracelet will know the exact location of all yellow and red lines and prisoners. The central computer system will trigger the warning shock or explosive device depending on the prisoner disobedience. 2) Every prisoner bracelet will be linked to another prisoner’s neck bracelet RANDOMLY. If either linked “partner” breaks the red line rule, both prisoners suffer the same consequence.

Your team is not to be concerned with our laws (many of our lawyers are in the jail), politics, religion, costs or ethics. Your team is here to develop the computer system security required and neck bracelet to affect the above restrictions on our prisoners. We are also concerned that you protect the computer system from any outside or inside negative security influences. We want you to present your Secure AD plans, analysis, design and implementation recommendations. We intend to justify this project by reducing the direct cost of guarding our facilities and indirect high costs of recapture and harm done to our society by escapes.

The Bracelet – Problem II: Borders

I want to welcome your team to our fair country, Draconia. My name is Louis Freeh. I am the Director of the Immigration and Nationalization Services. We have invited your group to assist us and bid on a sensitive project to be implemented in our country in 2006. It will help us control the massive influx of refugees and illegal terrorists crossing over our borders. Annually, we have approximately 50,000 persons illegally crossing our borders. We estimate 10 % are criminals and 5 % are terrorists threatening the peace and safety of our country. At our borders, we are able to stop, track, arrest or detain in camps about 5,000 annually. Our police forces are supplemented by voluntary armed militia. We prefer not to shoot these people, as it is bad for global public relations. We have done some research on those that come into our country without permission. Of those we stop, nearly 80% are repeat offenders! We call them AD’s (anti-Draconian's)

Your team will design a leg bracelet to be flexible enough to fit all our detained illegal's, regardless of their request for sanctuary, criminal or terrorist intent. It will have the ability to locate any AD, any place in our fair country. The leg bracelet will have an explosive charge embedded into the device. It will send signals to a computer system to confirm the location of the AD and close proximity to any other AD. The bracelet cannot be removed or the charge will explode.

To eliminate the possibility of AD re-entry into our fair country, the bracelet will be designed with two additional functions: 1) Draconia will have an “electronic line” built around its international borders. The leg bracelet must be able to determine when the AD crosses that line INTO our country, anywhere at anytime. It must feed this data back to the main computer system and to the INS agents in the field. 2) The bracelet has a counter that will max out at 2 intrusions. When an AD’s bracelet reaches 2 on the internal counter, the leg bracelet charge will be computer- triggered, as well as, every bracelet on any / all AD’s within a 25 yard range.

Your team is not to be concerned with our laws, politics, religion, costs or ethics. Your team is here to develop the computer security system and leg bracelet to affect the above restrictions on our AD’s. We are also concerned that you protect the computer system from any outside or inside negative security influences. We want you to present your Secure AD plans, analysis, design and implementation recommendations. We intend to justify this project by reducing the direct costs of guarding our borders and indirect high costs of recapture and harm done to our society by repeat offending AD’s.

APPENDIX C
Attack / Defense Terrorism Scenarios
Teams choose one

Students may choose one of the eight topics assigned to set up an Attack and Defense scenario (with specific interest in identifying risks and providing protective countermeasures) in collaboration in class, via email and Blackboard. All materials and computer tools used are to be from OPEN sources and available through public means. Each team response to the five assigned scenarios should incorporate concepts and ideas from this class and applied in a balanced format of attack / defense of the subject enterprise target. Groups will have safeguards in their group environment that allows the group to optionally punish noncontributory effort with up to a 20% reduction in grade from what the group received. This is done with a peer-to-peer evaluation at the end of the process. I will supply the spreadsheets. This is a serious action and team members should use it as a last resort. The instructor has no direct input into the P2P process.

Scenario I: Walmart RFID.

Research Team for simulated cyber-attack and defense of network services and data communications for the Walmart Headquarters in Fayetteville, AR. Focus must include Assessment of Risks and full-range of cryptographic countermeasures, their implementation and effectiveness for defense.

Choice of this research must focus on the use of RFIDs. Walmart has told its top suppliers to have RFIDs on each pallet of products delivered to its stores by 2006. The system will save potentially 8.4 billion annually for reduced labor and loss by theft or will it?

Scenario II: Terror at Sea: Carnival Fun Ships.

Carnival Corporation is a global cruise company with a portfolio of 12 distinct brands comprised of the leading cruise operators in North America, Europe and Australia. Carnival Cruise Lines, Holland America Line, Princess Cruises, Seabourn Cruise Line, Windstar Cruises, AIDA Costa Cruises, Cunard Line, P&O Cruises, Ocean Village, Swan Hellenic, and P&O Cruises Australia are all included in this group.

Together, these brands operate 77 ships totaling more than 128,000 lower berths with nine new ships scheduled for delivery between November 2004 and December 2006. It also operates the leading tour companies in Alaska and the Canadian Yukon, Holland America Tours and Princess Tours. Traded on both the New York and London Stock Exchanges, Carnival Corporation is the only entity in the world to be included in both the S&P 500 and the FTSE 100 indices. Being all over the map can be a great thing. "Fun Ships" cruise to well over 60 destinations including: The Bahamas, Caribbean, Mexico, Hawaii and even Alaska.

Research Team for simulated cyber-attack and defense of network services and data communications for the Carnival cruse line on the high seas headed for a "fun" Port of Call. Focus must include Assessment of Risks, and full-range of cryptographic and INFOSEC countermeasures, their implementation and effectiveness for defense.

Attack and Defense must center on a chosen Carnival ship systems' vulnerabilities. Particular attention is to be taken to the RISK Assessment and navigation/ control issues as everyone's life may be in danger at sea and panic brings on 2nd and 3rd order affects.

Rent the movie SPEED 2 and watch for ideas. Then go to www.carnival.com

Scenario III: Mall of America Terrorism Scenario.

The Mall of America has become globally recognized as the largest entertainment and retail complex in the US. Welcoming over 42 million guests each year, Mall of America in Bloomington, Minnesota is the nation's #1 visited attraction. The Mall of America has over 525 specialty stores, 4 national department stores - Bloomingdale's, Macy's, Nordstrom and Sears, over 50 restaurants from fast-food to fine dining, 7 nightclubs, 14 movie theaters, and much more!

Research Team for simulated cyber-attack and defense of network services and data communications for the Mall of America. Focus must include assessment of Risks, full-range of cryptographic and INFOSEC countermeasures, their implementation and effectiveness for defense. Consider Mall of America a high value target in your RISK ASSESSMENT and countermeasure identification process. Question (How would you penetrate) the network security of the available business and local authorities protecting / serving the Mall.

Scenario IV: A/D on 911 Emergency Communications.

Research Team for simulated cyber-attack and defense of network services and data communications for the 911 Emergency Communications for a major city over 50,000. Focus must include RISK ASSESSMENT and full-range of information security countermeasures, implementation and effectiveness for defense.

Scenario V: Trucking Counter-Terrorism Scenario.

Carlisle PA is the center for the US Army Strategic Center and War College. It is also the midpoint for I81, I83, I15, I76 and within 10 hours of the 1/4 of the US population. Problem: Trucking has become an enormous potential terrorist problem: uncontrolled traffic (literally 1000's of trucks per hour), building of 24 hour super warehouses (hundreds of acres of previous farmland) to speculative clients in 4 counties on at least 4 exits, with no legal stops, no real time investigation or inspection for secondary use chemicals and low enforcement via under-staffed State Police.

Research Team for simulated cyber-attack and defense of network services and data communications for the City of Carlisle, PA. Focus must include RISK ASSESSMENT and full-range of cryptographic legal countermeasures, their implementation and effectiveness for defense. Team will review the Patriot Act, and recommend to the appropriate legal, technical and policy means to increase safety to the residents. Assume your presentation is in front of the County Board or City Mayors Advisory Team.

Choice of this research must focus on the use of RFIDs / GPS / automated inspection tools / XRAY/ CCTV or other countermeasures to solve the problem.

Scenario VI: Port of Singapore Terrorism Scenario

Singapore and its beautiful harbor sit at the bottom end of the Malacca Straits, a stone's throw from Malaysia and abreast of the South China Sea. She sits electronically in the middle of Dangerous Waters - more modern Piracy and Terror on the High Seas occur than any other region in the World.

Your team will research and prepare a simulated cyber-attack and defense of network services and data communications for the Port of Singapore. Primary concern is on the IT architecture and Database requirements available to the Singapore Defenses Forces and police. Consider Singapore as a target a high value target in your risk assessment and countermeasure identification process.

Attack / Defenses scenarios must include an After Action Report which summarizes your teams “group think” on the effectiveness of the A/D contemplated / presented. It should also incorporate the improvements in intelligence gained by the computer security architecture suggested by your team.

Scenario VII: Hearts and Minds Inc.

Conceptual obstacles in computerized medical diagnosis.
The major problem in the medical field is to diagnose disease. Human beings always make mistakes and because of their limitation, diagnosis would give the major issue of human expertise. One of the most important problems of medical diagnosis, in general, is the subjectivity of the specialist. It can be noted, in particular in pattern recognition activities, that the experience of the professional is closely related to the final diagnosis. This is due to the fact that the result does not depend on a systematized solution but on the interpretation of the patient's signal (Lanzarini and Giusti, 1999).
Brause (2001) highlighted that almost all the physicians are confronted during their formation by the task of learning to diagnose. Here, they have to solve the problem of deducing certain diseases or formulating a treatment based on more or less specified observations and knowledge. For this task, certain basic difficulties have to be taken into account:

• The basis for a valid diagnosis, a sufficient number of experienced cases, is reached only in the middle of a physician’s career and is therefore not yet present at the end of the academic formation.
• This is especially true for rare or new diseases where also experienced physicians are in the same situation as newcomers.
• Principally, humans do not resemble statistic computers but pattern recognition systems. Humans can recognize patterns or objects very easily but fail when probabilities have to be assigned to observations.

Brause (2001) also give an example of a study in the year 1971 showed these basic facts in the medical area. This study had shown that human have many limitations in diagnosis. The results of this experiment were as follows:

• Best human diagnosis (most experienced physician): 79.7%
• Computer with expert data base: 82.2%
• Computer with 600 patient data: 91.1%

From this result we can see that humans cannot ad hoc analyze complex data without errors.

Despite extensive research and a multitude of computer systems, there is no viable computerized system that is even remotely capable of approaching the skill of an expert human physician. Minor obstacles in the design of a practical system include imprecise medical terminology, the use of non-independent clinical parameters, incorrect or inaccurate information supplied to the computer, and static representation of a patient's medical history. Major problems that go beyond computer manipulation of data include the requirement for a massive database, representation of medical knowledge in general rather than specific terms, and physician fallibility in the design of a computer system.

Hearts and Minds, Inc. is a professional group of physician specialists (from John Hopkins and Tulane Medical Schools) in the treatment of aggressive cancers and serious heart diseases. They believe they can solve the aforementioned conceptual problems by implementing an advanced diagnostic computer system. This architecture will provide global web services and maintains a huge database of information. This knowledge management database will be made available to Doctors and hospitals around the world. It will require special security based on HIPPA guidelines.
Your team will design / build the security system to protect the valuable information assets architecture for this humanitarian project.

Scenario VIII: Utica / Rome Hospital Terrorism Scenario

Research Team for the simulated cyber-attack and defense of network services and data communications for a major Baltimore/Washington-area hospital critical care systems (cardiac care unit, ICU, NNU, ER, Blood Bank, Pharmacy) and sensitive patient records databases. Focus includes cryptographic and INFOSEC countermeasures, their implementation and effectiveness for defense. HIPPA requirements covered, as required.

Explore the systems architectures that the chosen Baltimore / Washington hospital currently uses, as obtained by OPEN source methods and site visit. Many of the systems are wireless and provide high interoperability with little security. Identify potential routes that might be used to reduce the effectiveness of the information flow and how you might improve them by redesign and better practices. Investigate how a “fake” doctor might use the appropriate systems to gain advantage to hospital resources.

Attack / Defenses scenarios must include an After Action Report which summarizes your teams “group think” on the effectiveness of the A/D contemplated / presented. It should also incorporate the improvements in intelligence gained by the computer security architecture suggested by your team.

APPENDIX D
Security Risk Assessment Exercise

Open books, open notes, teams will present findings competitively in class. You may use visuals, blackboard, PowerPoint’s, handouts or flip charts, if available. At the end of the presentations, class will discuss what we learned.

Security Engineering (100 points)

1. Analyze the risk profile of the following described corporation, using the risk management equation.

Corporation description:
Medical research firm, with $4.7 Billion in revenues per year and 120,000 employees located in 72 countries worldwide. Research is conducted using laboratory testing, computer simulation and modeling, and requires worldwide sharing of data from test results. The company must get its products approved by every country that it sells them in, and the faster it gets them to market, the longer it can benefit from the exclusivity granted by patent protection. In fact, the company recently shepherded a new schizophrenial drug through the approval process in 17 countries through the use of its intranet: it brought the drug to market in only 18 months and generated over $550 million revenue in the first 14 months on the market. The CEO is particularly concerned about industrial espionage and about keeping data integrity.

2. Do a security needs analysis. Use the Security Needs Definition Matrix format.

3. Given a security budget of $1,000,000 (one million dollars) for the corporation described for the first year, how would you allocate that funding between technologies? What would you target for follow-on year investments? Use the Technology Cost Estimates given in the Reference Material. Show how you arrived at the conclusion and justify your recommendation. If necessary, make judgments on the relative benefits accorded by the technologies to the security challenges of the corporation. This should result in a complete systems engineering analysis of how to implement security.

Reference Material
Security Needs Definition Matrix:

Technology Cost Estimates