information security curriculum proposal 15 january 2014
TRANSCRIPT
Information Security Curriculum Proposal
Richard E. Newman
Joseph N. Wilson
15 January 2014
Introduction
Given the increasing importance of the information security as an area, the emphasis on it at the state and federal level, as well as within the corporate world, and the fact that several of the proposed courses have been taught as special topics one or more times, we propose that the courses in the information security area be restructured to reflect a more complete offering, and include a certificate program.
Existing Situation
Our current permanent course listing in the cybersecurity area includes only the venerable CNT 5410 Computer and Network Security, although a proposed course, Penetration Testing -- Ethical Hacking, has passed College of Engineering approval. Aside from these, we have offered several special topics courses, including versions of all of the proposed courses below as well as more esoteric topics that will not be proposed as regular courses (e.g., anonymity and information hiding, computer security theory, secure coding, cryptographic protocols, etc.).
Originally positioned as the single security course offering, the current CNT 5410 Computer and Network Security course covers material from traditional computer security, cryptography, and network security. There is simply too much material to give reasonable coverage in the time available, and the three parts, while related, each have a significant amount of material distinct from the other parts.
Plan
To remedy this problem and give students a solid understanding of each of these areas, the Computer and Network Security course will be obsoleted and replaced by three courses that address the content it attempted to cover, only in more depth. This arrangement not only allows for greater depth in a very large area, but also allows for students in other courses who need specific background (e.g., in cryptography) to obtain it more thoroughly without having to spend significant time on less relevant areas for their needs.
To address the needs of both undergraduate and graduate students, these three courses will be offered at both level, perhaps sharing a common lecture and text, but requiring graduate students to read original papers, derive theoretical results, and produce more sophisticated projects.
The undergraduate Cybersecurity course is proposed in response to the warm response the special topics class in that area received in fall 2012. A large number of beginning computer majors and a fair number of non-computer majors took the course. Hence the courses is proposed as to introduce the area for those with minimal background (it does not have prerequisites), to raise awareness and knowlege of the pervasiveness of computing and communication security concerns in the modern world, and to attract new students to the security and computing curriculum.
Proposed Permanent Courses
1. Undergrad cybersecurity
2. Grad and undergrad computer security
3. Grad and undergrad cryptology
4. Grad and undergrad network security
5. Penetration Testing -- Ethical Hacking
6. Malware Reverse Engineering
The Computer and Network Security class would be obsoleted. All courses are stand-alone courses, relative to each other. Cryptographic components are largely taken as black boxes in the other courses, while their algorithms and implementations are revealed in detail in the cryptology course. Overlap between the courses is pretty minimal (1-2 weeks typically), and the last two courses emphasis laboratory work, while the first four emphasize theory, case studies, and projects.
UCC1: New Course Transmittal FormDepartment Name and Number
Recommended SCNS Course Identi�cation
Transcript Title (please limit to 21 characters)
Pre�x Level Course Number Lab Code
Amount of Credit
Repeatable Credit
Contact Hour: Base or Headcount
Course Description (50 words or less)
Prerequisites Co-requisites
Degree Type (mark all that apply) Baccalaureate Graduate Other
Introductory Intermediate Advanced
Department Contact
College Contact
Name
Phone Email
Name
Phone Email
Rev. 7/13
Rationale and place in curriculum
Category of Instruction
E�ective Term and Year Rotating Topic yes no
S/U Only yes no
yes no If yes, total repeatable credit allowed
Variable Credit yes no If yes, minimum and maximum credits per semester
Professional
Full Course Title
Standardized Syllabus for the College of Engineering
CNT 5xxx Network and System Security 1. Catalog Description - Credits: 3;
This course examines networked threats and vulnerabilities; trust, identification, authentication, and authorization in networked and distributed systems; secure network protocols and standards; certification of network products; firewall configurations, intrusion detection, and anomaly detection; security flaws in network protocols and distributed applications. Coursework includes a significant term project.
2. Pre-requisites and Co-requisites: COP 4600 Operating Systems and CNT 5106C Computer Networks or their equivalent is required. COT 5405 Analysis of Algorithms or equivalent is co-requisite.
3. Course Objectives Students will study the issues involved in assessing and protecting the security of networked computer systems. Graduate students will be expected to prove theoretical results and apply them to networked systems. Successful students will be able to perform a vulnerability analysis of a networked system, propose and implement appropriate controls.
4. Contribution of course to meeting the professional component (ABET only – undergraduate courses)
N/A 5. Relationship of course to program outcomes: Skills student will develop in this
course (ABET only undergraduate courses) N/A 6. Instructor: R. Newman
a. Office location: CSE-E346 b. Telephone: 352-505-1579 c. E-mail address: nemo-at-cise-dot-ufl-dot-edu d. Class Web sites: http://www.cise.ufl.edu/~nemo/security/ e. Office hours: MWF 10:30-11:30 and 1:00-2:00
7. Teaching Assistants: TBD a. Office location: CSE-E309 b. Telephone: TBD c. E-mail address: TBD d. Office hours: TBD
8. Meeting Times: TBD 9. Class/laboratory schedule, i.e., number of sessions each week and duration of each
session: 3 50-minute lectures 10. Meeting Location: TBD 11. Material and Supply Fees: N/A 12. Textbooks and Software Required
a. Title: "Network Security" b. Author: Kaufman, Perlman, and Speciner c. Publication date and edition: Pearson Education, 2002, 2/e d. ISBN: 9780130460196
13. Recommended Reading: N/A 14. Course Outline (provide topics covered by week or by class period)
a. Introduction to Network Security – 1 wk
b. Network Programmed Threats – 2 wks i. Viruses, dangerous attachments ii. Worms iii. Phishing iv. Scanning and interception v. Wireless (in)security vi. Modification, fabrication, and replay attacks vii. Traffic analysis
c. Cryptographic Controls for Network Threats – 3 wks i. basic cryptography ii. confidentiality iii. integrity iv. authentication and non-repudiation v. key management vi. PKI vii. remote access viii. IPsec, GSSAPI ix. SSL, TLS
d. Trusted Network Interpretation – 2 wks i. Goals of the TNI ii. Certification and accreditation iii. Functionality levels iv. Assurance levels
e. Firewalls and Proxies – 2 wks i. Firewall and proxy types ii. Topologies for isolation iii. Packet filtering firewalls and policies iv. Monitoring in the firewall v. Mix-firewalls vi. IPsec tunnel mode vii. Application proxies
f. Networked Identification and Authentication – 1 wk i. Role of cryptography ii. User authentication iii. Host authentication
g. Network Audit, Monitoring, and Forensics – 2 wks i. Events and auditing ii. Audit analysis iii. Real-time monitoring iv. Connection monitoring v. Traffic analysis vi. Collection and handling of evidence
h. Intrusion and Anomaly Detection – 2 wks i. Intrusion detection ii. Pattern-based detection iii. Statistical detection iv. Anomaly detection v. Coordination
i. Social and Ethical Issues in Network Security – 1 wk i. Legal rights and requirements ii. Appropriate use
iii. Monitoring ethics and legal restrictions iv. Social networks
15. Attendance and Expectations (is attendance required, penalties for absence,
tardiness, cell phone policy, etc.) Requirements for class attendance and make-up exams, assignments, and other work are consistent with university policies that can be found at http://catalog.ufl.edu/ugrad/current/regulations/info/attendance.aspx. Pop quizzes will be given on assigned reading and on material covered in classes. Cell phones and pagers must be silent during class. Reading emails, facebook, etc. is appropriate at some other time and place. Questions are encouraged - raise your hand to be recognized. Try to formulate the question before asking it, and wait to see if it is answered in a few minutes so we can maintain flow. Lengthy discussions will be deferred to office hours. Students are required to check the class web pages at least three times a week (MWF) for announcements/updates. You are responsible for all assignments posted on the web page or announced in class.
16. Grading – methods of evaluation: a. Quizzes and Homeworks: 20% b. Exams: 40% (midterm and final) c. Projects: 40% Project grades include scoring for documentation and good programming practice in addition to correct functionality. Projects shall focus on network security. Examples include remote access methods, protocol security, network monitoring, intrusion detection, etc.
17. Grading Scale: A >= 90%, 90% > A- >= 87%, 87 %> B+ >= 85%, 85% > B >= 80%, 80% > B- >= 77%, 77% > C+ >= 75%, 75% > C >= 70% Obligatory Statements “A C- will not be a qualifying grade for critical tracking courses. In order to graduate, students must have an overall GPA and an upper-division GPA of 2.0 or better (C or better). Note: a C- average is equivalent to a GPA of 1.67, and therefore, it does not satisfy this graduation requirement. For more information on grades and grading policies, please visit: https://catalog.ufl.edu/ugrad/current/regulations/info/grades.aspx
“Undergraduate students, in order to graduate, must have an overall GPA and an upper-division GPA of 2.0 or better (C or better). Note: a C- average is equivalent to a GPA of 1.67, and therefore, it does not satisfy this graduation requirement. Graduate students, in order to graduate, must have an overall GPA of 3.0 or better (B or better). Note: a B- average is equivalent to a GPA of 2.67, and therefore, it does not satisfy this graduation requirement. For more information on grades and grading policies, please visit: https://catalog.ufl.edu/ugrad/current/regulations/info/grades.aspx
18. Make-up Exam Policy Requirements for make-up exams, assignments, and other work are consistent with university policies that can be found at http://catalog.ufl.edu/ugrad/current/regulations/info/attendance.aspx.
19. Honesty Policy – All students admitted to the University of Florida have signed a statement of academic honesty committing themselves to be honest in all academic work and understanding that failure to comply with this commitment will result in disciplinary action. This statement is a reminder to uphold your obligation as a UF student and to be honest in all work submitted and exams taken in this course and all others.
20. Accommodation for Students with Disabilities – Students Requesting classroom accommodation must first register with the Dean of Students Office. That office will provide the student with documentation that he/she must provide to the course instructor when requesting accommodation.
21. UF Counseling Services – Resources are available on-campus for students having personal problems or lacking clear career and academic goals. The resources include: · UF Counseling & Wellness Center, 3190 Radio Rd, 392-1575, psychological and
psychiatric services. · Career Resource Center, Reitz Union, 392-1601, career and job search services.
22. Software Use – All faculty, staff and student of the University are required and expected to obey the laws and legal agreements governing software use. Failure to do so can lead to monetary damages and/or criminal penalties for the individual violator. Because such violations are also against University policies and rules, disciplinary action will be taken as appropriate. We, the members of the University of Florida community, pledge to uphold ourselves and our peers to the highest standards of honesty and integrity.
23. Students are expected to provide feedback on the quality of instruction in this course by completing online evaluations at https://evaluations.ufl.edu. Evaluations are typically open during the last two or three weeks of the semester, but students will be given specific times when they are open. Summary results of these assessments are available to students at https://evaluations.ufl.edu/results/.
Grading Rubric for Graduate Software Projects
Characteristic Outstanding Above Average Average Below Average Failing Meets
Computational Specifications
The program meets all of the computational specifications
The program produces the correct results and displays them correctly for almost all computational specifications
The program produces correct results for most computational specs, has a few bugs
The program is produces incorrect results, has several bugs
The program is does not work or has many bugs
Displays Output Correctly
The program displays results very clearly and intuitively, and meets all display specifications
The program displays results clearly and meets most of the display specifications
The program displays results clearly and meets many of the display specifications
The program does not display results clearly or does not meet most display specs
The program does not display results correctly and does not meet most display specs
Readability The code is well organized and very easy to understand, with clear comments both in-line and in headers
The code is pretty well organized, fairly easy to read, and has good comments
The code has some organization,is a challenge to read, and has minimal comments
The code is readable only by someone who knows what it is supposed to do, has few comments
The code is poorly organized and very difficult to read, with no comments
Reusability The code could be reused as a whole and each routine could be reused
Most of the code could be reused in other programs
Some parts of the code could be reused in other programs
A few parts of the code could be reused in other programs
The code is not organized for reusability
Documentation Documentation is clear and well written, and clearly explains what the code does and how. It includes
Documentation is reasonably clear and mostly complete, and is useful in understanding the
Documentation is adequate, but not well written or thorough; configuration and user information is
Documentation is does not explain the purpose or methods well, and does not help the reader understand
No separate documentation is provided
Characteristic Outstanding Above Average Average Below Average Failing how to configure the system and how to use it correctly
system and how to configure and use it correctly
minimal the program or system; configuration and user documentation is inadequate
Validation and Verification
Test cases are thorough and systematic, well documented; proof sketches of correctness are supplied or cited
Test cases are thorough and systematic, well documented with expected and actual output
Tests cover most representative cases, tests and known bugs are adequately documented
Test cases miss significant scenarios, and are poorly documented; bugs are poorly documented
Test cases are absent or very few, and are poorly documented or undocumented ; bugs not documented
Efficiency and Performance
The code is very efficient, system meets or exceeds all performance requirements, includes performance analysis
The code is fairly efficient, system meets performance requirements, includes performance analysis
The code is naïve or brute force, system meets most performance requirements, includes minimal performance analysis
The code is brute force and unnecessarily long, system meets some performance requirements, includes no performance analysis
The code is huge and grossly inefficient, system meets few or no performance requirements, includes no or incorrect performance analysis
References All relevant work is cited correctly
Most relevant work is cited correctly
Some work of others mentioned, mostly correctly
Relevant work is cited infrequently or incorrectly
No relevant work is cited
Delivery The code and documentation were turned in ahead of schedule
The code and documentation were turned in on schedule
The code and documentation were turned within one day of the due date
The code and documentation were turned in within a week of the due date
The code and documentation were turned in more than one week late
Grading Rubric for Term Papers
Characteristic Outstanding Above Average Average Below Average Failing Topical
Requirements The paper is tightly focused on the assigned topic and highlights its significance
The paper is focused on the assigned topic and mentions its significance
The paper is mostly focused on the assigned topic but does not explain its significance
The paper is marginally related to the assigned topic
The paper is not related to the assigned topic
Organization The paper is well organized and flows well, with segues between paragraphs and sections
The paper is reasonably well organized and has good flow
The paper has decent organization and some segues
The paper has inadequate organization and few segues
The paper has poor organization and is very choppy
Grammar, spelling, and punctuation
Grammar is correct, there are no spelling or punctuation errors
Grammar is mostly correct, there are no spelling or punctuation errors
Grammar is mostly correct, there are few spelling and/or punctuation errors
There are several grammatical errors,and there are spelling or punctuation errors
There are significant grammatical errors,and there are many spelling and punctuation errors
Clarity The paper is clear and easy to follow; difficult concepts are well explained
The paper is mostly clear and easy to follow; difficult concepts are adequately explained
The paper is mostly clear and easy to follow; difficult concepts are not explained
The paper is sometimes unclear or hard to follow; difficult concepts are ignored or confused
The paper is mostly unclear and hard to follow; difficult concepts are ignored or confused
Completeness The paper covers all of the relevant material
The paper covers all of the critical and some additional relevant material
The paper covers all of the critical material but little more
The paper lacks some of the critical material
The paper lacks most or all of the critical material
Depth The paper The paper The paper The paper The paper
Characteristic Outstanding Above Average Average Below Average Failing demonstrates deep and nuanced understanding of the material
demonstrates some depth of understanding of the material
demonstrates good basic understanding of the material
demonstrates shallow understanding of the material
demonstrates no real or incorrect understanding of the material
Rigor Mathematical models are complete and proofs of claims are correct and clear
Mathematical models are mostly complete and proofs of claims are correct but some are awkward or unclear
Mathematical models are mostly complete and most proofs of claims are correct but some are awkward or unclear
Mathematical models are mostly incomplete or missing, proofs of claims are incomplete, some are incorrect
No mathematical models are given and there are no proofs of claims or they are incorrect
Citations Work of others is cited often and correctly
A fair amount of others' work of is cited correctly
Some work of others is cited, mostly correctly
Work of others is cited infrequently or incorrectly
No work of others is cited
References There are many relevant and correct references to prior work
There are many relevant and mostly correct references to prior work
There are adequate references, mostly complete and correct
There are few relevant references or most are incomplete or incorrect
There are few or no relevant references, or they are incomplete or incorrect
Delivery The paper was turned in ahead of schedule
The paper was turned in on schedule
The paper was turned within one day of the due date
The paper was turned in within a week of the due date
The paper was turned in more than one week late
UCC: Syllabus ChecklistAll UCC1 forms and each UCC2 form that proposes a change in the course description or credit hours must include this checklist in addition to a complete syllabus. Check the box if the attached syllabus includes the indicated information.
Syllabus MUST contain the following information:Instructor contact information (and TA if applicable)Course objectives and/or goalsA weekly course schedule of topics and assignmentsRequired and recommended textbooksMethods by which students will be evaluated and their grades determinedA statement related to class attendance, make-up exams and other work such as: “Requirements for class attendance and make-up exams, assignments, and other work in this course are consistent with university policies that can be found in the online catalog at: https://catalog.ufl.edu/ugrad/current/regulations/info/attendance.aspx."A statement related to accommodations for students with disabilities such as: “Students requesting classroom accommodation must first register with the Dean of Student Office. The Dean of Students Office will provide documentation to the student who must then provide this documentation to the instructor when requesting accommodation.” Information on current UF grading policies for assigning grade points. This may be achieved by including a link to the appropriate undergraduate catalog web page:https://catalog.ufl.edu/ugrad/current/regulations/info/grades.aspxA statement informing students of the online course evaluation process such as: “Students are expected to provide feedback on the quality of instruction in this course based on 10 criteria. These evaluations are conducted online at https://evaluations.ufl.edu. Evaluations are typically open during the last two or three weeks of the semester, but students will be given specific times when they are open. Summary results of these assessments are available to students at https://evaluations.ufl.edu.
It is recommended that syllabi contain the following information:1. Critical dates for exams and other work2. Class demeanor expected by the professor (e.g., tardiness, cell phone usage)3. UF’s honesty policy regarding cheating, plagiarism, etc. Suggested wording: UF students are bound by The
Honor Pledge which states, “We, the members of the University of Florida community, pledge to hold ourselvesand our peers to the highest standards of honor and integrity by abiding by the Honor Code. On all worksubmitted for credit by students at the University of Florida, the following pledge is either required or implied:“On my honor, I have neither given nor received unauthorized aid in doing this assignment.” The Honor Code(http://www.dso.ufl.edu/sccr/process/student-conduct-honor-code/) specifies a number of behaviors that arein violation of this code and the possible sanctions. Furthermore, you are obliged to report any condition that facilitates academic misconduct to appropriate personnel. If you have any questions or concerns, please consultwith the instructor of TAs in this class.
4. Phone number and contact site for university counseling services and mental health services: 392-1575, http://www.counseling.ufl.edu/cwc/Default.aspxUniversity Police Department: 392-1111 or 9-1-1 for emergencies.
The University’s complete Syllabus Policy can be found at: http://www.aa.ufl.edu/Data/Sites/18/media/policies/syllabi_policy.pdf
Rev. 7/13