Instructor: Associate Professor, Randall K Nichols, Chair & Director, Cybercrime Investigations, Computer Forensics & Information Assurance Undergraduate Major
Office: Hubbard B-4
Email: rnichols@utica.edu
Phone: 315-223-2501
Mobile: 717-329-9836
Office Hours: 10:30AM – 10:00 PM EST
Website: www.infosec-technologies.com

Instructor Bio http://www.utica.edu/academic/ssm/cybersecurity/faculty.cfm?featureaction=details&id=34341545-D42A-5C6A-9915F40800887638

Instructor Website A wealth of supplementary information for our course is available at www.infosec-technologies.com. Material downloaded must be appropriately attributed to contributors in all team / individual papers.

Textbooks and instructional resources

Required

1. Information Security (Protecting the Global Enterprise), Donald L. Pipkin,
   Prentice Hall, 2000.
2. Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Bruce Schneier, Copernicus, 2003.

Course Description

Introduces core concepts and techniques of information security. Includes the identification and application of information risk management models. Traces the entire life cycle of information systems security planning, evaluation, risk assessment, security architectures, incident detection, and responses to vulnerabilities and threats. Introduces legal, ethical, and business issues that motivate and constrain the definition and implementation of information security management systems. Addresses software system vulnerabilities, software security (including trusted software), alternative countermeasures, policy, cryptography, and attack trends. Introduces techniques for measuring status/progress in delivering secure systems. Course will emphasize current information risk management needs, techniques, and challenges from both business and technical perspectives through active discussion, individual project research, assigned homework, and special activities. Our course will stress asymmetric thinking principles to engage better security solutions. {I have included a few of my personal thoughts on asymmetric thinking, terrorism, and fear at the end of this document.}

Prerequisites

• None. However, ability to think creatively / asymmetrically; ability not to sleep more than 4 hours at night; ability to work well in team format. CRJ 333 helps.

Objectives / Learning Outcomes

• Understand the basic concepts of information risk management.
• Understand the steps required for assessment of information systems vulnerabilities, threats, and risk estimation.
• Understand the importance of policy specification, user awareness, and process standards in a program for system security.
• Know how to prepare an information systems security program.
• Understand techniques for measuring the effectiveness of an information security program.
• Know how legal, ethical, and business issues can shape an information security program.
• Understand the basic concepts of secure software, especially trusted system design.
• Understand basic concepts of cryptography, web and database security, forensics, and physical security.
• Understand the methods for intrusion detection and response.
• Understand the current threat posture, and demonstrate an awareness of the likely evolution of security threats, regulations, and countermeasures.
• Use the Internet to locate information security information, recommendations, tools, and case studies.

Bullets

Students will prepare three or more Bullets per week minimum, on current items broadly pertaining to this course: URLS, summaries of current security events, interesting Risk Analysis/ Computer Forensics / Intrusion Detection / INFOSEC finds, etc. or Webliography items each week. Students may also choose to add to the Webliography interesting URLS that dovetail with the material in this class.  Bullets are grade differentiators on participation. There are only three rules governing bullets: 1) they can not be over 7 days old, 2) they can not repeat / duplicate another persons bullet and 3) Anti-Virus related bullets; or AV new /old product information; or AV marketing material; or company strategic AV roll-out plans; or risks associated with not having AV software deployed; or any news item relating to AV are unacceptable in any form and to be considered poison to your grade [ Known affectionately as the AV rule].

Student Team Midterm VOIP Challenge and SCADA Final Research PPT

I believe that teamwork facilitates research and better learning.  The Exercises, Midterm and Final are team efforts. The primary deliverables for this course are the Team A/D PPT Presentation on a SCADA target and implementation of secure voice over internet protocol using Gismo.  Teams will post their PowerPoint presentations. Every member must contribute to the PPT.

MIDTERM

All teams will solve the VOIP Midterm project. The Midterm project looks at Secure telephone calls over VOIP. It is a very practical way to conference in your teams. Telephone calls over the Internet are free.

There is no Midterm paper required. Each team will present a PowerPoint Presentation of approximately 50-75 slides to demonstrate their team research on secure VOIP. There is no maximum number of slides. A normal number of slides (B range) are about 50-60. The Midterm can be completed early and in stages. I recommend this because there is a real advantage to doing so.

We will use the brilliant new security product by cryptographer Phil Zimmermann called Zfone and the VOIP product known as GISMO.

Teams are encouraged to use GISMO & / or Zfone approach for contact / communications with the Professor or teammates for preparation of the difficult Final. The midterm has four (4) stages: 1)  As soon as Gismo 1-1 personal conversations and 2) Gismo conferencing is achieved; 3) then Zfone is used to secure the 1-1 calls with authentication and 4) this success can be demonstrated to the professor by his being part of the conference and Zfone conversations, the only item left is preparation of a detailed PPT about Secure Voice over Internet.

Students in the past have been looking for a better way to communicate with the teams in various parts of the country over overseas. Well here it is.

Required websites:

GISMO: http://www.gizmoproject.com/  Download the current version.

Zfone: [After you have GISMO working]: http://www.zfoneproject.com/  Download the current version. Also, download the ZRTP Internet standard - http://www.zfoneproject.com/zrtp_ietf.html.  You will need this to understand the protocol (why Zfone works) and will use it to prepare your Midterm PPT.

Required Equipment: Purchase a Logitech Internet Mike and Earphones USB device to install on the computer you choose to make VOIP GISMO calls.

There are some special settings when you set up Zfone (after GISMO is working 1) individually & 2) conferencing with teammates and me. They are not hard but need to be incorporated for Zfone to work. They are found in the Zfone installation documents.

FINAL

For the Final, student teams will perform INFOSEC research on three Attack / Defense terrorism scenarios on the SCADA system deployed at a chemical or manufacturing plant. Teams present results in the form of a PowerPoint presentation posted to the class. 

I will post the detailed SCADA Target and a real Counter-terrorism example PPT PIIF for team study.

The Team Research PPT is a hypothetical and complete Asymmetric Attack and Defense developed scenario (with three issues / options) on an enterprise network target. Special emphasis must be made on the Risk Assessment (Impact, Vulnerabilities, Threats, and Cryptographic / ID countermeasures) used for defense purposes. Equal weight must be addressed by teams for both attack and defense preparations. A special 2-3 slide After Action Report must be included to summarize the team’s evaluation of the success and plausibility of both the attack and the defense.

Project 1 – PGP: Cryptography and Authentication

Each student will download and install a free, non-commercial single-use copy of PGP version 6.5.8 from www.infosec-technologies.com OR from WebCT under Course Content.  Follow instructions in the Appendix A: Robust PGP Instructions. Do not send your keys to the MIT Certserver, as I will act as the class-certifying agent. MIT no longer services PGP keys. This is one of the few individual projects assigned in my class. Do not use other versions of PGP because they are not free and they have removed some of the best features found in Version 6.5.8. Further, they do not include the proper use of Secure Viewer.
Project 2 – Security Risk Assessment

TEAMS
Team Emphasis  Note, in my classes; there is a significant emphasis on teamwork. Choose your teammates and team leader carefully. Information security / Forensics Investigation challenges are handled best through teamwork and joint knowledge.

More On Teams Regarding team formations:  Every team investigates both sides of the analysis (the Attack & Defense) (good guy and bad guy –two POVs). Teams collaborate to decide who wants to do the attack side and who wants to do the defense side. It is up to the team (and TEAM LEADER) who performs what function on the problem. You work together and separately. At the end of the preparations, you come together and share what happened, report it in PPTs and in the AAR.

TEAMS are SELF- DIRECTED and SELF-POLICEING.

The Team Captain coordinates the projects, is responsible for the presentations and / or papers due, resolves differences, encourages participation, facilitates and checks for spelling, and writing flow of the resulting work, insures that best work is produced. Team Captains are the liaison with me and I fully support his/her actions.

The Team Captain is in charge and is responsible for the delivery of the assignments. It is incumbent and responsibility of the teams to support the person they chose. Frankly, the team grade depends on it. Be professional. Let your team captain know if you are going to miss a class or be late on a team assignment. This way someone on your team can cover for you. Team Captains are directly to the instructor.

The bad guys (the Attack side of A/D) are tasked with breaching the security of the information assets and overriding the countermeasures applied to reduce risk. They have time and flexibility on their side.

The good guys (the Defense side of the A/D) are not stupid. They must also have a plan to protect their information assets. Use cryptography or Steganography if you like. Set Malware traps, set hardware traps, prevent the viewing of data, hide files, put in spiders and self-destroys. Set up firewalls, VPNs, enterprise IDS, biometrics, and anything you think will stop the attacks. The cleverer the security plan, the tougher the attack team will have to work. Consider which tools / technologies are important.

The third part of the analysis is the AAR or After Action Report (generally 3-4 slides) is where the team as whole collaborates on the effectiveness of the security. They compare notes. They share findings, tools, and details. They present their JOINT conclusions on what part of the attack(s) worked and what didn't. Lastly, mitigation (if possible) of those differences is presented in one – two slides.

All team-members earn the SAME grade subject to the P2P evaluations procedure discussed below.

TEAMS may elect to use the FIRC analysis (especially for the security exercisess and Final) presented in CRJ333. See course content module in WEbCT for further discussion.

Course Policies and Procedures

Grading: According to Utica College standard grading scale and policy: A 93-100;
A- 90-92.9; B+ 88-89.9; B 83-87.9; C+ 78-79.9; C 73-77.9; C- 70-72.9; D+ 68-69.9; D 63-67.9; D- 60-62.9; and F 0-59.

The grade range of B represents the benchmark for this class. It indicates that the student (or team) has demonstrated competency in the subject matter of the course, e.g., has fulfilled all course requirements on time, has a clear grasp of the full range of course materials and concepts, and is able to present and apply these materials and concepts in clear, well-reasoned, well-organized, and grammatically correct responses, whether written or oral.

For CRJ 362 Z, The Final grade will be determined
Grading   

The final course grade will be determined as follows:
PGP Project 1 (Individual) -- 15%      [All or Nothing, i.e. A or F]  
GISMO / Zfone VOIP Secure Phone Midterm and Research PPTs (Team) – 20%           
INFOSEC Security Exercise PPTS (Team) -- 15%  
SCADA A/D Final Asymmetric Research PowerPoint Presentation [FINAL] (Team) -- 30%       
Bullets (Individual) & Participation (Individual / Team Participation) -- regular submissions of "Bullets" or webliography (Individual grading) & Featured Software discussions (Individual grading) -- 20%     

[Bullets = Online students are expected to post 3 (MINIMUM) current bullets to the discussion forum each week. In addition, Online students are expected to comment intelligently other TWO other classmates posted bullets.

On-Line Format

The format of the online session will be Socratic style. I will post questions in the homework conferences for you to respond to. There will be accompanying lecturettes and slides to assist you with the subject matter. I do ask that students use literature references in their responses. APA referencing will be required. The team collaborative PPT requirements will be posted in the class issues conference. 

Online Participation

Students are expected to participate /contribute regularly, e.g., 3x – 5x times a week. You should plan to participate just as though you are having an ongoing conversation.  This means that you may want to check conferences a few times a week and respond to what you see there and engage others in a simulated dialog.  Use the sort by Date and Author and Unread features as well as the "Read All Notes" button to help you speed through the new postings.  Please "talk" to one another during the week as well as to me when you are addressing any topical discussions we have.  It is impossible to have much of a thoughtful conversation if everyone saves participation in the discussion for late Sunday night.

As part of your participation and response, you may hyperlink websites or materials from your own web page if they enhance your participation.  I evaluate participation on its thoughtfulness, engagement, and insight and web-courtesy. Flames are not an appropriate response to genuine interest or questions.  There is a participation rubric available in the course materials area. Further, I monitor all the online discussion and bullet conferences. Think of this as a gauge of both student participation and “virtual attendance.”

Credit will be given for discussions in the appropriate UC WebCT forums and not for “off the books chats” or other communication meetings. Students using chat, IM, or non-UC email systems should copy a log of those UNCENSORED chats, etc. and submit to the UC WebCT forum so appropriate participation credit may be received. The exception to this rule is the Midterm which we will use GISMO and Zfone to have secure phone conversations using VOIP.

Submitting Online Assignments

Please submit your assignments in HTML, RTF, or plain text when they are due. You may post them to the Assignment Area (or send them as attachments to email).  You will lose 10% of the assignment grade for an assignment for each day late.

Please keep copies of all assignments that you send to me and all that I return to you with my comments. If you revise an assignment, please send your original with my comments, along with the revised assignment, in the same email. Note that you have revised the assignment and what you think you did to improve the original. Number and Date the Revision.

Please label all submissions, files, and emails with your Team Name, Team Project or Case, and Date revised. This avoids confusion.  Use UNIQUE names not “Midterm” or “Final.”

Getting WebCT or computer Online

Help is available at the Utica College IT Help Desk at helpdesk@utica.edu or (315) 792-3115.  Have your login ID, password, and your class and section numbers when you call or include them in your email.  Include information about your browser; system or any other details you think will be needed by the folks at WebCT Help and Support to assist you.  Cut and paste the actual error notices that pop up for even better responses.

Summing Up a Successful Online WebCT Student

A successful WebCT student is one who reads the materials thoroughly before responding, participates regularly, engages the material and others with enthusiasm and courtesy, schedules time to do the work, asks for help when it is needed, interacts with others in the class, is self-motivated, turns in well-drafted, proofed assignments, and keeps copies of all work and my responses in case of an emergency.

Virtual Hours Our virtual week goes from Monday through Saturday. Many clear-weather Saturdays and Sundays, I am on the Chesapeake Bay onboard the CRYPTO-WIZ. This is not a good time to call me. Satellite coverage is good but my brain coverage is noisy. The rest of the week, you can call or e-mail me anytime between 1030-1700 Hrs EST.  It is not unusual for me to respond to your e-mails as late as 0400 Hrs EST.  I usually return e-mail within 4 hours. When you respond to me, use your e-mail Reply option and include the last message so I know what our conversation was about.  I will do the same for you. If you do not hear from me within this timeframe, please do not hesitate to e-mail me again, as I may not have received your e-mail. When you e-mail me, please include in the subject line the course identifier number and the topic of your e-mail. Also, please include your name in the text message, as some e-mail addresses give no clue as to their owners – and you will find your email part of my anti-SPAM ELLA filter. If you have multiple e-mail addresses, please advise me. The default email is the @utica.edu.

Writing Standards

Effective managers, leaders, and teachers are also effective communicators. Written communication is an important element of the total communication process. Utica College recognizes and expects exemplary writing to be the norm for course work. To this end, all papers, individual and group, must demonstrate graduate level writing and comply with the format requirements of the Publication Manual of the American Psychological Association, (5th Edition) or www.apastyle.org. Careful attention should be given to spelling, punctuation, source citations, references, and the presentation of tables and figures. Other resources are The Elements of Style (Strunk and White), 100 Ways to Improve Your Writing (Provost) and the Utica College Writing Center at Hubbard Hall, Room 216.

Timeliness

It is expected that all course work will be presented on time and error free. Assignments are due on the established due date whether a student is present or not. Work submitted online should follow standard procedures for formatting and citations.  Since most of our class work is performed in team format, students have a responsibility to their team and this class. They must arrange with the team leader for missed participation. Except for military service, verifiable medical leave or bereavement leave, there will not be ANY late grading. 

Students should respect the learning atmosphere of others by not coming in late or leaving early.

Academic Integrity and Plagiarism 

Academic integrity is central to the learning and teaching process. Students are expected to conduct themselves in a manner that will contribute to the maintenance of academic integrity by making all reasonable efforts to prevent the occurrence of academic dishonesty. Academic dishonesty includes, but is not limited to, obtaining or giving aid (electronically or in person) on an examination, having unauthorized prior knowledge of an examination, doing work for another student, and plagiarism of all types.

Plagiarism

Plagiarism is the intentional or unintentional presentation of another person’s idea or product as ones own. Plagiarism includes, but is not limited to, the following: copying verbatim all or part of another’s written work; using phrases, charts, figures, illustrations, or mathematical or scientific solutions without citing the source; paraphrasing ideas, conclusions, or research without citing the source; and using all or part of a literary plot, poem, film, musical score, or other artistic product without attributing the work to its creator. Students can avoid unintentional plagiarism by following carefully accepted scholarly practices. Notes taken for papers and research projects should accurately record sources to material to be cited, quoted, paraphrased, or summarized, and papers should acknowledge these sources. The penalties for plagiarism or intentional cheating include a zero or a grade of F on the work in question, a grade of F in the course, suspension with a file letter, suspension with a transcript notation, or expulsion. Students may learn more about Utica College’s formal policies at http://www.utica.edu/academic/catalog/academicregulations.pdf

Disabilities 

Any student who needs an accommodation due to a disability should make an appointment to discuss the accommodation. A memo from the Coordinator of Learning Services authorizing the accommodation is required (Kateri Henkel, khenkel@utica.edu, 315-792-3032).

Course Evaluations 

Feedback on each undergraduate course and instructor is important to the College, your professor, and to all students. Utica College has the responsibility to assess the effectiveness of classroom instruction, and each student has the responsibility to provide accurate and timely feedback through completion of the course evaluation form.

Email 

Please remember to put [CRJ 362 + Team Designation] in the Subject of every email. In my online courses, the volume of email and attachments is significant. Do not use the WebCT version 6 internal email. Use: rnichols@utica.edu

P2P Team Evaluations and Performance 

80% of our course is Team-Based. Further, the mid-term and final projects are VERY asymmetric. There is no book, reference, “quick-guide”, or URL that has the specific answers.  The goal is to present a reasonable and logical team-solution to a difficult (even unusual) assignment based on best information security, risk assessment practices and technologies gleaned from your team-research, laboratory investigations and our class materials.

A good portion of the team grade is determined by how well your team accomplishes its goal working collaboratively. We think, learn, evaluate, problem-solve, generate ideas and possibilities and write better as a team. Research confirms that teams consistently out-perform the “star” individualist.  This is real world. Information assurance issues /computer forensics investigations in organizations are rarely assigned to one person – regardless of how strong or technically adept that he/she is. They solve the big problems in real time, team format, with collaborative working sessions.

Over my career, I have found that teams work effectively – most of the time.  In general, all team-members receive the same grade on exams and projects.  This policy is subject to the P2P (peer-to-peer) team evaluation process.  When a team does not interact well as a team or one member intentionally does not participate effectively, or when the team leader is at terrible odds with the team itself and refuses to be flexible or improve the “lens of understanding,” we have the P2P policy to fall back on. P2P’s may optionally submitted (for the semester) by any team or team member within one week after the final project/exam. P2P’s are strictly confidential and I maintain these records for many years. Students are subject to an individual grade penalty of up to 20% of their grade if a majority of their team-members finds their overall performance deficient. The team keeps the scorecard on itself.  As a practical matter, I discourage the formal P2P process and encourage teams and team leaders to solve their own problems “in-house.” I will be glad to help and encourage positive results in our teams in every way I can before using the P2P disincentive. I will notify students receiving a reduction of grade based on the P2P process in writing.

Class Discussions 

We bring differing points of view to this class.  Participation is not only encouraged but many times, I will put a fire under the class to analyze INFOSEC issues with variety of perspectives. Be prepared to take the side of a brisk discussion (not argument or personal attacks) that is in conflict with your own. Challenge yourselves – especially when solving asymmetric team problems. Respect and professionalism are the operative guidelines for our discussions.

Extra Credit Work 

The punishment for good work is more work and respect. The real currency in life is not money. It is respect and creditability. Extra credit assignments (limit one per student per semester) are available for students who enjoy individual achievement, want to learn more and are excited by the material as a possible vocation or sense that they need a few more points to improve their grade. I believe in the “pay it forward” principle. Extra credit assignments (worth up to one grade level) are designed to help my current and future students by developing accurate, current resource materials.  Extra credit assignments must be completed on time to be valued. They do not replace any of the normal exams, asymmetric teamwork, assignments or case studies. “Extra” is the operative word. Extra credit points may be used on individual assignments /grades only.

Death March Team (DMT) Eligibility  

Students who maintain an A level average in this class may be invited to join the DMT. This is quite an honor. DMT represents a network of over 240 of my active working Graduate students from George Washington University, Towson University, University of Maryland University College, Utica College, Tulane University, Capitol College, US Army, US Navy, USCG, USJCS, White House, DOD, DHS, FBI National Academy, NSA and major security organizations (SAIC, BAH, ASFT, Anteon, Credant Technologies) that collaboratively work on some fascinating short-term challenges. They evaluate new “beta” technologies, prepare presentations as a team to national conferences, provide speakers for local events, and critique each other’s papers. It is a network that helps each other find work in senior positions. We always attribute our work professionally; maintain a code of professional ethics and work to improve our profession. We are committed to each other’s professional success. Respect is our currency.

Disclaimers 

This course examines inter alia ethical and legal dimensions of on-line behavior. It is not intended to turn information technology or forensics investigators professionals into lawyers. Many of the topics to be discussed will be concerned with the law and legal implications of certain behavior. Every effort is made to provide accurate and complete information. However, at no time during this course will legal advice be offered. Any student requiring legal advice should seek services of a lawyer authorized to practice in the appropriate jurisdiction.

This class will explore technology and management issues related to elements of holistic Information Security.  Specific technologies and techniques used by hackers, crackers, spies and thieves to obtain access to sensitive, private information are discussed and explored.  Students are reminded that it is a violation of Federal and some state’s laws to attempt to gain unauthorized access to information assets or systems belonging to others- especially federal CIS assets; or to exceed authorized on systems to which they have been granted access. At no time in this class should any student violate either laws or confidences.
This class is not about pushing the envelope or hacking, and any violation of legal boundaries in the course of this class will be considered a violation of the class trust and will be subject to sanctions in grading.

Bibliography

Barnett, T.P.M. (2004). The Pentagon’s new map: War and peace in the twenty-first century. New York: Penguin Group.

Bidgoli H., Editor-in-Chief. (2006) Volume 1: Handbook of Information Security: Key Concepts, Infrastructure, Standards, and Protocols. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 2: Handbook of Information Security: Information Warfare; Social, Legal and International Issues; and Security Foundations. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 3: Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management. Hoboken, New Jersey: Wiley.

Campen, A.D., et. al. (1996) Cyberwar: Security, Strategy and Conflict in the Information Age, AFCEA.

Cordesman, A.H. (2002) Cyber-Threats, Information Warfare, and Critical Infrastructure Protection: Defending the U.S. Homeland. Westport Connecticut: CSIS publications.

Curts, R.J. & Campbell, D.E. (2003). Building a Global Information Assurance Program. New York: Auerbach.

Diamond, J. (2005). Collapse: How societies choose to fail or succeed. New York: Viking.

Dorothy, D. (1999) Defending the Nation: Information Warfare and Security. (Boston: ACM Press.

Evers, D., Miller, M. & Glover, T. (2005) Pocket Partner, 4th Ed. Littleton, CO: Sequoia.

Gordon, L. A. & Loeb, M. P. (2006) Managing Cyber-Security Resources: A Cost- Benefit Analysis. New York: McGraw Hill.

Hall, W. M. (2003). Stray Voltage: War in the information age. Annapolis, MD: Naval Institute Press.

Lewis, J.A. (December, 2002) Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats. Center for Strategic and International Studies, Washington, DC.

National Research Council, (2002). Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, Washington: National Academy Press, Washington.

Nichols R. K, Ryan, D. J., & Ryan, JCH. (2002) Defending your Digital Assets, Against Hackers, Crackers, Spies and Thieves, McGraw-Hill.

Nichols, R.K. & Lekkas, P. C. (2002). Wireless Security: Models, Threats, Solutions. New York, NY: McGraw Hill.

Parker, T., et. al. (2004). Cyber Adversary Characterization. Rockland, MD: Syngress.

Rattray, G. J. (2001). Strategic Warfare in Cyberspace. London: MIT Press.

Schneier, B. (2003). Beyond Fear: Thinking Sensibly about Security in an Uncertain World. New York: Copernicus.

Schwartau, W. (1996) Information Warfare: CyberTerrorism: Protecting Your Personal Security in the Electronic Age. New York: Thunder's Mouth Press.

Vatis, M.A. (September 22, 2001) Cyber Attacks During the War on Terrorism: A Predictive Analysis. Director, Institute for Security Technology Studies, Dartmouth College.

Verton, D. (2004) Black Ice: The Invisible Threat of Cyber-Terrorism, (ICE) San Francisco: Osborne.

Yourdon, E. (2002). Byte wars: The impact of September 11 on information technology. Upper Saddle River, NJ: Prentice Hall.

APPENDIX A
Robust PGP Instructions

Several of you are having success with the PGP project and others are need of some directions.

The PGP project is to introduce you to a working public key cryptosystem where material is in fact, kept confidential. I also want to have you understand the principles of robust authentication. We can do both with PGP.

1) Download the proper [platform & US location] PGP version 6.5.8 from www.infosec-technologies.com resources page (middle). The instructor can also provide single-use copies of the Version 6.5.8. Do not download newer versions of PGP as they do not have the same features, are not free and actually have less flexibility than the free version.

2) PGP sets up the correct plug-ins for your email. Accept them.

3) Create your public -private key pair. Use a minimum key bit length of 4096 and I suggest that you specify the Diffie-Hellman DSS version, as it works with all the current versions of PGP keys. Generate a key pair that identifies you and use an email address that can accept attachments. Do not expire your key for this class. You will learn that PGP expiration is not what it seems.

4) Choose a long pass phrase that has numbers and letters in it. PGP will generate the prime numbers associated with your keys.

5) Do not send your key to the cert-server because I will act as the certifying agent for the class and I want to be sure that all is correct before we do this. Once it reaches the cert-server, it is nearly impossible to correct a mistake. Especially when you see what we do in step #9! Further, MIT does not accept PGP keys anymore. Their Certserver service has been shutdown.

6) You will notice that your public keyring comes into view and suddenly you have a lot of keys! Using the shift key, highlight all of them in groups EXCEPT yours and Phil Zimmermann's out of respect to the inventor, and DELETE them. The delete function is under the EDIT tab. When you are done you will have your key with "road" markings on it.

7) Highlight your key and right click for PROPERTIES and see: A) that it is a CAST key. CAST is the default algorithm and is not acceptable in this class. See also that your public key has properties. Check the hexadecimal box and there you will see the FINGERPRINT that is unique to your key. The ID is related to your key on the PGP public and private rings. Close the window. Time to make the right key and understand the options.

8) Got to the edit tab. Use control T or click options.

General: click all 4 - "always encrypt, faster key, both caches and add a comment that describes you or your company or your class. Other options: File wiping Warn (yes) and change the number of wipes to 32! PGP is an excellent wiping system as well as a PKI cryptosystem.

Files: Leave these locations alone; you can change later but note where they are.

Email: use automatically decrypt, word wrap at 70, and sign by default (optional)

Hotkeys: Purge, and last two Encrypt / Decrypt and sign

Servers: DO NOT click on any of the below.

CA: skip that’s me for this exercise.

Advanced: Now we are ready. CHANGE the preferred algorithm to 3DES or IDEA, uncheck CAST, check Display marginal level; and warn not "Treat"; change export format to COMPLETE. Close the box. Time to regenerate your new key and destroy your old one, if required.

9) DELETE your old key. You will get two warning statements. Play through. Prepare a new key with 3DES or IDEA as a basis. Go to keys tab and click NEW and regenerate a new key pair. When done you should have yours and Phil's keys. Yours will be 3DES or IDEA based. Use properties to check it.

10) Highlight your key and right click and SIGN it. The signing box will come up. Go to more choices; use TRUSTED Introducer (no Domain). We will talk about this in class. Highlight your key and click ok. It will come up with a message already signed. I know this but I wanted you to see how to SIGN my key or other classmate’s keys. You can also use the right click and obtain the Signing key properties in Certificate form.

11) Note that you can be creative and add a photo or another name to your key.

12) Right click while highlighting and use EXPORT function. Place this in a file that you will create and keep your class keys and mine. You will use the Attachment command on your email program to pull from this location. Close PGP and save the back-up key rings to a safe place like a floppy or CDROM or somewhere that you can find them.

13) Send your key to me by email.

14) I will return your key (not if it is CAST) SIGNED by me. I will also send you my public key. When you receive them, IMPORT BOTH to your public ring. OPEN yours and you will see my signature.

15) Time to use your key to SIGN mine AND RETURN IT TO ME. Cryptography is a bi-functional authentication process. You can see your signature on my public key but not necessarily others on my public key. If you can’t see your own signature, use the “inside-outside” approach discussed in class.

16) We then will perform a second channel check using the fingerprints that you discovered in #7

17) We exchange messages in PGP. These may be done from inside the email client using the clipboard function or outside the email client using the tools function. Every email package is different so you may have to play with them a little. We will also test the Tempest option. Do not bypass the previous instructions because the authentication process will be lost. We will test the Secure Viewer option.

Appendix B-1
The Mount Fuji Security Policy Challenge

The Provincial Government of Japan (PGJ) has assigned your corporation a huge SECRET contract. You are hired to move, for environmental reasons, Mount Fuji (in mass) to North Sado Island. Your corporation will use physical local labor from the old Honshu region (farming is in real decline and many people are looking for work) and local sailors and stevedores from the Noto port region in the East. Fuji will be hauled truck by truck to the Port at Noto and shipped to Sado Island by barge. But, the PGJ has specified that you must use Gotaba Trucking Group in Chikugo in the old Kyushu region in the South of Japan.

Your team is to prepare the INFOSEC Security and RISK MANAGEMENT Policy for this project. Teams must focus on a full range of cryptographic and INFOSEC countermeasures available to protect the PGJ investment and your corporate image. Determine what is necessary to secure the enterprise computers from illegal activities or loss of secure information.

There are some problems that you must take into account. Remember there will be workers in many different places. Almost all communications will be by wireless means. Everybody will be moving, hauling, trucking, storing, shipping, unloading, and traveling. The workforce may reach 250,000 at its peak. Many unions (with different legacy systems in place) will be in play. Unions do not in general like restrictions on their members. They do not necessarily cooperate with each other. Be concerned with granting access for the hauling project. Mount Fuji is considered a living Monument and the work has been designated by the PGJ to be secret. The stevedores in the Noto region are a special problem and may require biometrically encrypted Passports and/or Visas. Prepare a cryptographic security policy that protects the PGJ in all three geographic areas of Japan affected and your corporation for this groundbreaking project.

Teams will prepare their responses in the form of a clever PowerPoint presentation of 50 slides or more. There is no paper requirement for this assignment. I have attached the 12th Century Japan map that I cooked up this exam from.

Appendix B-2
KING DRACOS Challenges – The Bracelet Solutions – Pick only One

The Bracelet – Problem I: Prisons

I want to welcome your team to our fair country, Draconia. My name is Richard Clarke. I am the Director of the Draconian Bureau of Prisons. We have invited your group to assist us and bid on a sensitive project to be implemented in our prison systems in 2007. It will help us control the prison population movements – especially the violent and repeat offenders. We have 40 prisons in Draconia housing 300,000 prisoners. These facilities are expensive to maintain and guards are underpaid and subject to bribery. About 10 percent of our prisoners have escaped, caused trouble in normal society, recaptured and returned to our prisons with longer sentences.

Your team will design a neck bracelet to be flexible enough to fit all our prisoners. It will have the ability to locate any prisoner, any place in our fair country (or world for that matter). The bracelet will have an explosive charge embedded into the device. It will send signals to a computer system to confirm the location of the prisoner. The bracelet cannot be removed or the charge will explode.

To eliminate the possibility of prison escape, the bracelet will be designed with two additional functions: 1) a yellow warning line will surround every prison facility or any restricted area in the prison. A prisoner crossing the yellow line will be severely shocked. A red terminal line will be placed ten feet further from the yellow line. A prisoner crossing the red line will trigger the explosive charge around his neck. The bracelet will know the exact location of all yellow and red lines and prisoners. The central computer system will trigger the warning shock or explosive device depending on the prisoner disobedience. 2) Every prisoner bracelet will be linked to another prisoner’s neck bracelet RANDOMLY. If either linked “partner” breaks the red line rule, both prisoners suffer the same consequence.

Your team is not to be concerned with our laws (many of our lawyers are in the jail), politics, religion, costs or ethics. Your team is here to develop the computer system security required and neck bracelet to affect the above restrictions on our prisoners. We are also concerned that you protect the computer system from any outside or inside negative security influences. We want you to present your Secure AD plans, analysis, design and implementation recommendations. We intend to justify this project by reducing the direct cost of guarding our facilities and indirect high costs of recapture and harm done to our society by escapes.

The Bracelet – Problem II: Borders

I want to welcome your team to our fair country, Draconia. My name is Louis Freeh. I am the Director of the Immigration and Nationalization Services. We have invited your group to assist us and bid on a sensitive project to be implemented in our country in 2006. It will help us control the massive influx of refugees and illegal terrorists crossing over our borders. Annually, we have approximately 50,000 persons illegally crossing our borders. We estimate 10 % are criminals and 5 % are terrorists threatening the peace and safety of our country. At our borders, we are able to stop, track, arrest or detain in camps about 5,000 annually. Our police forces are supplemented by voluntary armed militia. We prefer not to shoot these people, as it is bad for global public relations. We have done some research on those that come into our country without permission. Of those we stop, nearly 80% are repeat offenders! We call them AD’s (anti-Draconian's)

Your team will design a leg bracelet to be flexible enough to fit all our detained illegal's, regardless of their request for sanctuary, criminal or terrorist intent. It will have the ability to locate any AD, any place in our fair country. The leg bracelet will have an explosive charge embedded into the device. It will send signals to a computer system to confirm the location of the AD and close proximity to any other AD. The bracelet cannot be removed or the charge will explode.

To eliminate the possibility of AD re-entry into our fair country, the bracelet will be designed with two additional functions: 1) Draconia will have an “electronic line” built around its international borders. The leg bracelet must be able to determine when the AD crosses that line INTO our country, anywhere at anytime. It must feed this data back to the main computer system and to the INS agents in the field. 2) The bracelet has a counter that will max out at 2 intrusions. When an AD’s bracelet reaches 2 on the internal counter, the leg bracelet charge will be computer- triggered, as well as, every bracelet on any / all AD’s within a 25 yard range.

Your team is not to be concerned with our laws, politics, religion, costs or ethics. Your team is here to develop the computer security system and leg bracelet to affect the above restrictions on our AD’s. We are also concerned that you protect the computer system from any outside or inside negative security influences. We want you to present your Secure AD plans, analysis, design and implementation recommendations. We intend to justify this project by reducing the direct costs of guarding our borders and indirect high costs of recapture and harm done to our society by repeat offending AD’s.

APPENDIX C
Attack / Defense Terrorism Scenarios
Teams choose one

Students may choose one of the eight topics assigned to set up an Attack and Defense scenario (with specific interest in identifying risks and providing protective countermeasures) in collaboration in class, via email and Blackboard. All materials and computer tools used are to be from OPEN sources and available through public means. Each team response to the five assigned scenarios should incorporate concepts and ideas from this class and applied in a balanced format of attack / defense of the subject enterprise target. Groups will have safeguards in their group environment that allows the group to optionally punish noncontributory effort with up to a 20% reduction in grade from what the group received. This is done with a peer-to-peer evaluation at the end of the process. I will supply the spreadsheets. This is a serious action and team members should use it as a last resort. The instructor has no direct input into the P2P process.

Scenario I: Walmart RFID.

Research Team for simulated cyber-attack and defense of network services and data communications for the Walmart Headquarters in Fayetteville, AR. Focus must include Assessment of Risks and full-range of cryptographic countermeasures, their implementation and effectiveness for defense.

Choice of this research must focus on the use of RFIDs. Walmart has told its top suppliers to have RFIDs on each pallet of products delivered to its stores by 2006. The system will save potentially 8.4 billion annually for reduced labor and loss by theft or will it?

Scenario II: Terror at Sea: Carnival Fun Ships.

Carnival Corporation is a global cruise company with a portfolio of 12 distinct brands comprised of the leading cruise operators in North America, Europe and Australia. Carnival Cruise Lines, Holland America Line, Princess Cruises, Seabourn Cruise Line, Windstar Cruises, AIDA Costa Cruises, Cunard Line, P&O Cruises, Ocean Village, Swan Hellenic, and P&O Cruises Australia are all included in this group.

Together, these brands operate 77 ships totaling more than 128,000 lower berths with nine new ships scheduled for delivery between November 2004 and December 2006. It also operates the leading tour companies in Alaska and the Canadian Yukon, Holland America Tours and Princess Tours. Traded on both the New York and London Stock Exchanges, Carnival Corporation is the only entity in the world to be included in both the S&P 500 and the FTSE 100 indices. Being all over the map can be a great thing. "Fun Ships" cruise to well over 60 destinations including: The Bahamas, Caribbean, Mexico, Hawaii and even Alaska.

Research Team for simulated cyber-attack and defense of network services and data communications for the Carnival cruse line on the high seas headed for a "fun" Port of Call. Focus must include Assessment of Risks, and full-range of cryptographic and INFOSEC countermeasures, their implementation and effectiveness for defense.

Attack and Defense must center on a chosen Carnival ship systems' vulnerabilities. Particular attention is to be taken to the RISK Assessment and navigation/ control issues as everyone's life may be in danger at sea and panic brings on 2nd and 3rd order affects.

Rent the movie SPEED 2 and watch for ideas. Then go to www.carnival.com

Scenario III: Mall of America Terrorism Scenario.

The Mall of America has become globally recognized as the largest entertainment and retail complex in the US. Welcoming over 42 million guests each year, Mall of America in Bloomington, Minnesota is the nation's #1 visited attraction. The Mall of America has over 525 specialty stores, 4 national department stores - Bloomingdale's, Macy's, Nordstrom and Sears, over 50 restaurants from fast-food to fine dining, 7 nightclubs, 14 movie theaters, and much more!

Research Team for simulated cyber-attack and defense of network services and data communications for the Mall of America. Focus must include assessment of Risks, full-range of cryptographic and INFOSEC countermeasures, their implementation and effectiveness for defense. Consider Mall of America a high value target in your RISK ASSESSMENT and countermeasure identification process. Question (How would you penetrate) the network security of the available business and local authorities protecting / serving the Mall.

Scenario IV: A/D on 911 Emergency Communications.

Research Team for simulated cyber-attack and defense of network services and data communications for the 911 Emergency Communications for a major city over 50,000. Focus must include RISK ASSESSMENT and full-range of information security countermeasures, implementation and effectiveness for defense.

Scenario V: Trucking Counter-Terrorism Scenario.

Carlisle PA is the center for the US Army Strategic Center and War College. It is also the midpoint for I81, I83, I15, I76 and within 10 hours of the 1/4 of the US population. Problem: Trucking has become an enormous potential terrorist problem: uncontrolled traffic (literally 1000's of trucks per hour), building of 24 hour super warehouses (hundreds of acres of previous farmland) to speculative clients in 4 counties on at least 4 exits, with no legal stops, no real time investigation or inspection for secondary use chemicals and low enforcement via under-staffed State Police.

Research Team for simulated cyber-attack and defense of network services and data communications for the City of Carlisle, PA. Focus must include RISK ASSESSMENT and full-range of cryptographic legal countermeasures, their implementation and effectiveness for defense. Team will review the Patriot Act, and recommend to the appropriate legal, technical and policy means to increase safety to the residents. Assume your presentation is in front of the County Board or City Mayors Advisory Team.

Choice of this research must focus on the use of RFIDs / GPS / automated inspection tools / XRAY/ CCTV or other countermeasures to solve the problem.

Scenario VI: Port of Singapore Terrorism Scenario

Singapore and its beautiful harbor sit at the bottom end of the Malacca Straits, a stone's throw from Malaysia and abreast of the South China Sea. She sits electronically in the middle of Dangerous Waters - more modern Piracy and Terror on the High Seas occur than any other region in the World.

Your team will research and prepare a simulated cyber-attack and defense of network services and data communications for the Port of Singapore. Primary concern is on the IT architecture and Database requirements available to the Singapore Defenses Forces and police. Consider Singapore as a target a high value target in your risk assessment and countermeasure identification process.

Attack / Defenses scenarios must include an After Action Report which summarizes your teams “group think” on the effectiveness of the A/D contemplated / presented. It should also incorporate the improvements in intelligence gained by the computer security architecture suggested by your team.

Scenario VII: Hearts and Minds Inc.

Conceptual obstacles in computerized medical diagnosis.
The major problem in the medical field is to diagnose disease. Human beings always make mistakes and because of their limitation, diagnosis would give the major issue of human expertise. One of the most important problems of medical diagnosis, in general, is the subjectivity of the specialist. It can be noted, in particular in pattern recognition activities, that the experience of the professional is closely related to the final diagnosis. This is due to the fact that the result does not depend on a systematized solution but on the interpretation of the patient's signal (Lanzarini and Giusti, 1999).
Brause (2001) highlighted that almost all the physicians are confronted during their formation by the task of learning to diagnose. Here, they have to solve the problem of deducing certain diseases or formulating a treatment based on more or less specified observations and knowledge. For this task, certain basic difficulties have to be taken into account:

• The basis for a valid diagnosis, a sufficient number of experienced cases, is reached only in the middle of a physician’s career and is therefore not yet present at the end of the academic formation.
• This is especially true for rare or new diseases where also experienced physicians are in the same situation as newcomers.
• Principally, humans do not resemble statistic computers but pattern recognition systems. Humans can recognize patterns or objects very easily but fail when probabilities have to be assigned to observations.

Brause (2001) also give an example of a study in the year 1971 showed these basic facts in the medical area. This study had shown that human have many limitations in diagnosis. The results of this experiment were as follows:

• Best human diagnosis (most experienced physician): 79.7%
• Computer with expert data base: 82.2%
• Computer with 600 patient data: 91.1%

From this result we can see that humans cannot ad hoc analyze complex data without errors.

Despite extensive research and a multitude of computer systems, there is no viable computerized system that is even remotely capable of approaching the skill of an expert human physician. Minor obstacles in the design of a practical system include imprecise medical terminology, the use of non-independent clinical parameters, incorrect or inaccurate information supplied to the computer, and static representation of a patient's medical history. Major problems that go beyond computer manipulation of data include the requirement for a massive database, representation of medical knowledge in general rather than specific terms, and physician fallibility in the design of a computer system.

Hearts and Minds, Inc. is a professional group of physician specialists (from John Hopkins and Tulane Medical Schools) in the treatment of aggressive cancers and serious heart diseases. They believe they can solve the aforementioned conceptual problems by implementing an advanced diagnostic computer system. This architecture will provide global web services and maintains a huge database of information. This knowledge management database will be made available to Doctors and hospitals around the world. It will require special security based on HIPPA guidelines.
Your team will design / build the security system to protect the valuable information assets architecture for this humanitarian project.

Scenario VIII: Utica / Rome Hospital Terrorism Scenario

Research Team for the simulated cyber-attack and defense of network services and data communications for a major Baltimore/Washington-area hospital critical care systems (cardiac care unit, ICU, NNU, ER, Blood Bank, Pharmacy) and sensitive patient records databases. Focus includes cryptographic and INFOSEC countermeasures, their implementation and effectiveness for defense. HIPPA requirements covered, as required.

Explore the systems architectures that the chosen Baltimore / Washington hospital currently uses, as obtained by OPEN source methods and site visit. Many of the systems are wireless and provide high interoperability with little security. Identify potential routes that might be used to reduce the effectiveness of the information flow and how you might improve them by redesign and better practices. Investigate how a “fake” doctor might use the appropriate systems to gain advantage to hospital resources.

Attack / Defenses scenarios must include an After Action Report which summarizes your teams “group think” on the effectiveness of the A/D contemplated / presented. It should also incorporate the improvements in intelligence gained by the computer security architecture suggested by your team.

APPENDIX D
Security Risk Assessment Exercise

Open books, open notes, teams will present findings competitively in class. You may use visuals, blackboard, PowerPoint’s, handouts or flip charts, if available. At the end of the presentations, class will discuss what we learned.

Security Engineering (100 points)

1. Analyze the risk profile of the following described corporation, using the risk management equation.

Corporation description:
Medical research firm, with $4.7 Billion in revenues per year and 120,000 employees located in 72 countries worldwide. Research is conducted using laboratory testing, computer simulation and modeling, and requires worldwide sharing of data from test results. The company must get its products approved by every country that it sells them in, and the faster it gets them to market, the longer it can benefit from the exclusivity granted by patent protection. In fact, the company recently shepherded a new schizophrenial drug through the approval process in 17 countries through the use of its intranet: it brought the drug to market in only 18 months and generated over $550 million revenue in the first 14 months on the market. The CEO is particularly concerned about industrial espionage and about keeping data integrity.

2. Do a security needs analysis. Use the Security Needs Definition Matrix format.

3. Given a security budget of $1,000,000 (one million dollars) for the corporation described for the first year, how would you allocate that funding between technologies? What would you target for follow-on year investments? Use the Technology Cost Estimates given in the Reference Material. Show how you arrived at the conclusion and justify your recommendation. If necessary, make judgments on the relative benefits accorded by the technologies to the security challenges of the corporation. This should result in a complete systems engineering analysis of how to implement security.

Reference Material
Security Needs Definition Matrix:

Technology Cost Estimates