| The
University of Maryland University College Information Risk Assessment and Security Management |
||||||||||||||||||||||||||||||||||||||||||||||
| Welcome to CSMN 655: Information Risk Assessment and Security Management. My name is Professor Nichols and I will be your course facilitator during the next intense fourteen sessions. You may want to visit my site at http://www.infosec-technologies.com. There are many resources, papers, URLS and presentations available to my students. Please note the Introductions conference. Please take a minute to introduce yourselves to the class, with a little background about yourself, courses taken and a few sentences about your expectations about this class. | ||||||||||||||||||||||||||||||||||||||||||||||
Course Goals/Objectives |
||||||||||||||||||||||||||||||||||||||||||||||
Executive SummaryRisk management is important to each of us simply because it is the best method available to determine the protection required for valuable assets at the most reasonable cost. This intense course will focus on two critical risk assessment areas: 1) information security and cyber security, and 2) critical assets and domestic intelligence / law enforcement. CSMN 655 Risk management is presented in two phases. Phase 1 explores the theoretical, practical and best practices aspects of risk assessment and management. Phase 2 is a group-oriented independent practicum on risk assessment and defense of the Homeland applying practical countermeasures to a serious simulated terrorist scenario. Students will explore both technology and management issues related to managing the elements of holistic information security and risk assessment. Specific technologies and techniques used by terrorists, hackers, crackers, spies, and thieves to obtain access to sensitive, private information and domestic intelligence are discussed and explored. Expect several hands-on team exercises, lots of reading and little sleep during our fourteen weeks of intense activity. Students will complete a theoretical and practical risk assessment /management scenario dealing with applying risk assessment to a credible terrorist threat. |
||||||||||||||||||||||||||||||||||||||||||||||
Modeling Risk Management |
||||||||||||||||||||||||||||||||||||||||||||||
As organizations increase security measures and attempt to identify vulnerabilities in critical assets, many managers are looking for a mechanism to ensure an efficient investment of resources to counter physical, terrorist and cyber threats. One method is a risk management model that not only assesses assets, threats, and vulnerabilities and countermeasures but also incorporates a continuous assessment feature. This allows organizations to tailor their management of risk to the current situation as well as assess future risks. The management of risk impacts the bottom line of every organization, either in monetary terms or in terms of operational readiness and capability. Security managers and decision-makers that operate in any sector of the national infrastructure must have a sound methodology to manage physical, terrorist and cyber risks to their organization. |
||||||||||||||||||||||||||||||||||||||||||||||
INFOSEC |
||||||||||||||||||||||||||||||||||||||||||||||
The proliferation of corporate databases and the development of telecommunication network technology as gateways or invitations to intrusion are examined. Ways of investigating the management of the risk and security of data and data systems are presented as a function of design through recovery and protection. Issues of risk and security, as they relate to specific industries and government, are major topics in the course. Examples are presented of how major technological advances in computer and operating systems have placed data, as tangible corporate assets, at risk. Quantitative sampling techniques for risk assessment and for qualitative decision making under uncertainty are explored. Students will complete several modules: Module 1 Introduction to Risk Assessment and Management What is it and how can we use it to make our lives, critical assets and information systems safer? Risk management is both an art and science. We first look at its purview. 1) Introduction, administrative messages, and daily bullets, 2) The language of risk assessment: management, assessment, mitigation, threat levels, vulnerabilities, impact, countermeasures, probabilities, events cost-effective responses and risk avoidance 3) INFOSEC: confidentiality, integrity, availability, protect, detect, correct, access, authentication, cryptography, non-repudiation, extended terms 4) Basic premises, the conventional risk management cycle (five phases), key Personnel roles, system characterization. 5) The conventional risk management model and risk assessment equation. Module 2 Improving Conventional Wisdom: Security Needs Definition Matrix, Countermeasures, Systems Approach,30 Elements and Life Cycle Conventional strategies to reduce / manage risk de-emphasize INFOSEC and Its relationship to countermeasures. Module 2 incorporates threats and vulnerabilities of computer systems into the risk model and emphasizes affects / costs of countermeasures chosen. 1) A better risk management equation (Ryan model) 2) The risk management process and dynamic model of risk. 3) Exploration of Information Security aspects and systems engineering 4) Holistic view of the risk management /mitigation process in terms of Policy, training awareness, research and development, vulnerability analysis, security response teams, acquisition, systems operations, PDC, CIA and impact. 5) The 12- block framework for IT organization and security management. Module 3 Mitigating Risk /Threat of Terrorism and other Risks The development of strategies to reduce risk /threat of terrorism, or other Threats, involves a process in which the cost to mitigate is measured against savings in risk reduction. 1) Thinking sensibly about security in an uncertain world- Schneier model 2) How systems fail 3) Knowing the attacker 4) Technology creates security imbalances 5) Security and risk assessment is a weakest link problem 6) Brittleness makes bad security and increases risk 7) People! 8) Detection works where prevention fails, but is useless without response 9) Identification, authentication and authorization 10) All countermeasures have value but no one countermeasure is perfect. Module 4 Down in the mud: A walk through of the risk management process and work flow Theory and practice meet the same road in this module. The Parker analysis for enhanced CIA /PDC and the Roper model for risk management information flow is presented. 1) The Parker Analysis: preserving availability, utility, integrity, authenticity, availability, possession to meet a standard of due care, avoid loss, reduce loss, eliminate loss 2) The Roper Risk model +1 (Nichols): 5 steps 3) Asset Identification and loss impacts 4) Threat identification and characterization (site specific) 5) Vulnerability identification and assessment 6) Assess risk and determine priorities for asset protection 7) Perform cost- benefit analysis based on understanding the technology and countermeasures available. Module 5 Cryptography the prime countermeasure? Cryptography is a maturing science that has global-ranging applications in business and Government. Every commercial or government establishment that either markets its products internationally or uses computer networks for global communications and customer services must be concerned with protecting its information assets from a variety of attacks. 1) How cryptography works and lessons from classical cryptography, 2) Key management, key size, entropy and crypto-strength 3) Modern cryptography, confidentiality, data integrity, authentication, non-repudiation, digital signatures and certificate authorities. 4) Cryptanalysis, traffic analysis, and pattern analysis, brute force 5) Biometric encryption, steganography , terrorist cryptograms 6) Wireless security ?encryption features and increased risk 7) INFOSEC / INFOWAR = due diligence / terror measures, the risk is exponentially different 8) Trust me its encrypted- fallacies of cryptography as a countermeasure. Module 6: Defending The Homeland: Domestic Intelligence, Law Enforcement and Module 6 will encompass more questions than answers for risk related issues:
1) Terrorism, patriotism and dilemmas of law enforcement 2) Intelligence
gathering and civil liberties 3) Bureaucracy and interpretations or risk 4)
Clauswitz, Sun Tsu and Asymmetry 5) Building intelligence systems based on Module 7/8 Practicum: Attack / Defense Scenario Teams will be assigned a serious simulated terrorist attack (cyber, physical, psychological, diversions, and other) against a soft target of significant symbolic interest. Teams will identify critical assets that can be protected, evaluate technologies in place, security definition matrix, prepare / present the Risk Management / Assessment Policy for this scenario. Focus must include full-range of personnel, cryptographic and INFOSEC countermeasures, their implementation and effectiveness for defense. A short after-action report will be prepared and evaluated by the class. SkillsUpon completion of this seminar, the student should be able to: 1) Identify and critically assess issues and concepts related to the protection of information and information systems. 2) Define security attributes: confidentiality, integrity and availability. Describe confidentiality requirements for an enterprise environment. Describe integrity requirements for an enterprise environment. Describe availability requirements for an enterprise environment. Place them in the Parker Analysis. 3) Analyze and evaluate proposed or extant information security policies, practices and procedures in order to assess potential advantages and disadvantages that might flow from implementing them. Describe how confidentiality can be protected. Describe how integrity can be protected. Describe how availability can be protected. Describe how failures of protections can be protected. Describe how attacks can be detected. Describe how impacts from an attack can be mitigated. 4) Use risk management rinciples to assess threats, vulnerabilities, countermeasures and impact contributions to risk in information systems. Perform a risk analysis for an environment. Create a management plan for security in an environment. 5) Evaluative policies, strategies and standard operating procedures for securing information and communication systems. 6) Identify and critically assess the legal, moral and ethical implications of behavior in an on-line world. |
||||||||||||||||||||||||||||||||||||||||||||||
Course Materials |
||||||||||||||||||||||||||||||||||||||||||||||
| Required
Textbooks: |
Pfleeger, C.P, (SC) Security in Computing(3rd ed). Upper Saddle River, NJ:Prentice Hall, 2003. [ISBN: 0-13-035548-8} Note: Textbooks are available and ready to ship, online, at the MBS (Missouri Book Store), which can be accessed at www.umuc.edu/bookstore. Optional reading textbooks may be found in UMUC Library or by Inter-Library Loan, or by purchase through Amazon or other discount book outlets. |
|||||||||||||||||||||||||||||||||||||||||||||
Optional Textbooks: |
Randall K. Nichols and Panos C. Lekkas, Wireless Security (WS) McGraw-Hill Professional Books, January 2002. [ISBN: 0-07-138038-8] One of the most comprehensive references on the subject of wireless security design, by far. Bruce Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World (BF) Copernicus Books, 2003. [ISBN: 0-387-02620-7] One of his best works! Carl A Roper, Risk Management for Security Professionals, Butterworth Heinemann, 1999. [ISBN: 0-7506-7113-0] Randall K Nichols, Daniel J.Ryan, Julie J.C.H. Ryan, Defending Your Digital Assets Against Hackers, Crackers, Spies and Thieves, McGraw Hill, 2000. [ISBN: 0-07-212285-4] Still a terrific text with informative sections on Risk Assessment. |
|||||||||||||||||||||||||||||||||||||||||||||
Grading Information |
||||||||||||||||||||||||||||||||||||||||||||||
(In-class version) Homework Exercises. Students are required to complete homework exercises designed to reinforce concepts examined in the lectures and readings. Several in-class exercises may require short PowerPoint presentations of findings. (Distant Education version) Conferences. Students are required to participate in conferences designed to reinforce concepts examined in the lectures and readings. A rubric for participation has be posted. Examinations. A midterm (may be replaced by a special announced project) and a collaborative team research paper will be delivered. Research Paper. A research paper of approximately 10-12 core pages per team member is required. The class will be divided into working teams of 5-6 members and assigned a semester research paper on current/network/cryptographic/wireless/anti-terror/INFOSEC Risk Assessment issue. (In-Class version) Oral Presentation. Each student will give a brief oral presentation describing the results of his/her research to the rest of the class. There will be three to four presentations. (Online students will post their presentations, including graphics and notes, in the Conference topic area to be designated by the instructor). (In-Class and Distance Education versions) PowerPoint Presentation. Each student will prepare a PowerPoint presentation describing the results of his/her research. Students will post their presentations, including graphics and notes, in a Conference topic area to be designated by the instructor. |
||||||||||||||||||||||||||||||||||||||||||||||
Grading |
||||||||||||||||||||||||||||||||||||||||||||||
The final grade will be determined as follows:
|
||||||||||||||||||||||||||||||||||||||||||||||
Administrative |
||||||||||||||||||||||||||||||||||||||||||||||
| Professor:
Randall
K. Nichols Contact Information: |
||||||||||||||||||||||||||||||||||||||||||||||
| Availability:
Mobile: Fax: Business E-Mail: Student E-Mail: Web site: |
10:00AM
- 10:00 PM EST |
|||||||||||||||||||||||||||||||||||||||||||||
Course Schedule |
||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||