Introduction University of Sunderland CSEM02 Harry R Erwin, PhD Peter Dunne, PhD

Purpose The purpose of CSEM02 is to prepare a post-graduate student for an entry-level network security position. We concentrate on the skills needed to do staff analyses of security requirements.

Responsibility Dr. Harry Erwin is the Module Leader for CSEM02 at the University of Sunderland. Dr. Peter Dunne is the co-Module Leader. Dr. Erwin has 35 years of experience as a software systems engineer and security engineer (mostly at TRW) for high-reliability systems. He supervises final year/MSc projects and PhD research in intelligent systems, security, and software engineering. or

Responsibility (II) Dr. Dunne has expertise in numerical analysis and software engineering, a background in cryptography, and is the programme leader for a number of MSc programmes.

Objectives To develop a critical awareness of the current state of information system security: –Threats –Legal policies –Security technology –Security architectures

Learning Outcomes Knowledge –An understanding of the processes of security engineering, including risk analysis, requirements analysis and trust analysis. –An awareness of the tradeoffs involved in producing a security solution and architecture definition. –An understanding of the technologies available to implement a proposed security solution. –An awareness of developments in security technology. Abilities –Produce security solutions for particular situations. –Implement simple security solutions for small networks.

Indicative Content 1.Security engineering processes - risk, trust and security analysis. 2.Security policies. 3.Legal context. 4.Security objectives and mechanisms. 5.Symmetric and asymmetric cryptography. 6.Access control, authentication and audit mechanisms. 7.Secure programming techniques. 8.Firewalls and intrusion detection systems. 9.Security testing. 10.Incident response.

Outline 24 Lectures 12 Tutorials 12 Practical sessions Students will do individual presentations (30%). One group project (30%, not programming). We use problem-based learning (PBL). A comprehensive take-home assessment (40%). We can use for communication, discussions, and submitting coursework.

Administrivia The module handbook is posted here: M02HandbookMB.html M02HandbookMB.html and is also posted here: g4.sunderland.ac.uk/~harryerw/CSEM02Ha ndbookMB.htmlhttp://scat-he- g4.sunderland.ac.uk/~harryerw/CSEM02Ha ndbookMB.html We may use WebCT to communicate:

Textbooks Key text that students must buy: –Matt Bishop, 2003, Computer Security: Art and Science, Addison-Wesley, ISBN: Reference text that students must be able to access readily: –Simson Garfinkel, Gene Spafford and Alan Schwartz, 2003, Practical Unix and Internet Security, 3rd Edition, O`Reilly, ISBN:

Support Texts Other texts you should know where to find: –B. Schneier, 2000, Secrets and Lies, Wiley. –P. Neumann, 1995, Computer-Related Risks, Addison- Wesley. –Anderson, 2001, Security Engineering, Wiley, ISBN: (Available free electronically) –Rescorla, E., 2001, SSL and TLS, Pearson Education. –Amoroso, 1999, Intrusion Detection, Intrusion.net. –Barrett and Silverman, 2001, SSH, the Secure Shell, O’Reilly. –Niels Ferguson, Bruce Schneier, 2003, Practical Cryptography, Wiley. –Scott Oakes, 2001, Java Security, 2nd Edition, O`Reilly

Material Covered Probabilistic Risk Analysis Trust Analysis (Sloman and Grandison) Legal Issues and Policies The Security Analysis Process Chapter 1, Overview Chapter 2, Access Control Chapter 3, Foundations Chapter 4, Security Policies

Material Covered Chapter 9, Basic Cryptography Chapter 10, Key Management Chapter 11, Cipher Techniques Chapter 13, Design Principles Chapter 14, Identity Chapter 15, Access Control (optional) Chapter 18, Assurance

Material Covered Chapter 23, Vulnerability Analysis (optional) Chapter 24, Auditing Chapter 25, Intrusion Detection Chapter 26, Network Security Chapter 27, System Security Chapter 28, User Security (optional) Chapter 29, Program Security (optional) Java Security

Lectures and Tutorials We are planning on about minute lectures. Be here on time, please. There will be breaks. We are planning tutorials and discussion sessions in DGIC-220.

Course Marking Everything is coursework. Coursework mark must be at least 40% for you to pass. Written assignments may be submitted in essay or report format. Referencing your sources is required. During marking, assignments will be compared to determine if there is evidence for collaboration or cheating.

Questions?