INFSYS 3848 / INFSYS 6828
Dr. Shaji Khan (Ph.D. Business Administration, M.S. Computer. Science, B.A., B.Com)
Office location: Room 234, Express Scripts Hall | Office Hours: Thursdays 4:30pm to 6:30pm | Email address: email@example.com | Cell phone: 314-489-9733
(Email is the best way to get in touch with me. Please mention course and section number in your correspondence. My cell phone is also listed above. Please leave a message if call goes to voicemail.)
There is no required text-book
Considerable material in the form of notes, PowerPoint slides, and web links will be assigned and available through Canvas
Optional Certifications Books:
Security+ Certification, I recommend: CompTIA Security+ All-In-One Exam Guide: Exam SY0 - 401 (ISBN-13: 978-0071841245) or the latest version.
CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide 7th Edition (ISBN-13: 978-1119042716) [OR latest edition]
Security Classic (free version):
Anderson, Ross (2007) Security Engineering, 2nd Edition, Wiley (Free and available online at: http://www.cl.cam.ac.uk/~rja14/book.html)
Junior/Senior standing or permission of department chair.
This is an introductory course and open to students from all majors. A background in data networking, programming, and web application development will be very beneficial but is not required. However, the course does get technical and I encourage you to get in touch with me if you have any concerns. It will also be very helpful if students have their own laptops with at least 8GB of RAM (the more the better). We will also have tutors available to help students with lab assignments.
Arguably, Information Security (InfoSec) is currently one of the most critical issues facing individuals, organizations, governments, and society. Media reports are replete with breaches of information security and the adverse consequences for all stakeholders involved from across the globe. Thus, demand for InfoSec professionals who understand the managerial and technical aspects of InfoSec is growing and there's a severe shortage of cybersecurity talent around the world. However, InfoSec is a rather vast field and includes a plethora of management and technical areas. Students or professionals seeking an entry into this field are often overwhelmed by its vastness. In a broad sense, InfoSec is both a management issue and a technological issue. Thus, it is critical that students think about it from both perspectives and develop their skills at their intersection.
The purpose of this course is to two-fold. First, it provides an overview or a survey of the vast field of InfoSec. The goal is to make students aware of the fundamentals of InfoSec and the various facets represented under this umbrella term. Specifically, the course enables students to apply principles of InfoSec to organizational settings. Second, the course provides students a foundation in the technical aspects related to InfoSec. Specifically, the course provides basic technical knowledge and background that should enable students to continue developing their InfoSec skills beyond this course. Thus, this course provides a foundation in the management of information security and at the same time provides a technical introduction to InfoSec with the hope that students will pursue both areas vigorously and practice at the intersection of management and technology.
Upon completion of the course, students will have a basic understanding of at least the following:
- InfoSec terminology
- Fundamental principles of InfoSec and Information Assurance
- The vastly complex global threat environment
- The variety of sub-specialties within the InfoSec field
- Management of InfoSec including
- security planning
- identifying information assets and their associated security requirements
- establishing risk criteria
- risk analysis and risk evaluation
- risk treatment
- security controls
- National and International InfoSec security management standards/models (and the organizations that develop these)
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- ISO 27000 Series
- European Union's General Data Protection Regulation (GDPR)
- Information Security Technologies and Tools
- Access control, Different Access Control Models and associated technologies/tools
- Data Networking fundamentals from an InfoSec perspective
- Firewalls (various types of filtering and overview of current trends in “firewalling”)
- Intrusion Detection/Prevention Systems
- Virtual Private Networks
- Basics of Cryptology/Cryptography
- Terminology relevant to InfoSec
- Symmetric and Asymmetric Ciphers – key differences and uses
- Cryptographic Hash Functions
- Applications of Cryptographic Techniques in InfoSec
- InfoSec Management issues associated with cryptographic techniques
- Overview of Secure Software Development
- The need for Web Application Security
- Overview of web based applications and common architectures
- Overview of most common vulnerabilities within web applications
Technical learning outcomes
- Overview of Linux - students will at least gain basic introductory skills in Linux based operating systems
- (I want students to learn as much as possible from these topics: https://www.lpi.org/study-resources/linux-essentials-exam-objectives/)
- Understanding of virtualization (Type I and II. Proficient use of Type II hypervisors such as VirtualBox or VM Ware Player)
- Setting up a virtualized and sandboxed penetration testing lab using a Linux distribution known as Kali Linux. The Kali virtual machine acts as the “attack” machine. We will also setup intentionally vulnerable “target” machines such as “metasploitable”.
- Basics of Cyber Defense: Basics of a variety of information gathering, penetration testing and vulnerability scanning tools, such as “nmap”, “dig”, “metasploit”, OpenVAS etc., especially those built into Kali Linux
- Data Networking fundamentals
- Hybrid TCP/IP Model
- A good understanding of HTTP, TCP, IP, and SSL/TLS protocols
- Use of network protocol analyzers such as WireShark™
- Basic understanding of Web Application architectures
Expectations of performance:
I expect all students to prepare for, attend, and contribute to, the classes on a regular basis. Another forum for you to demonstrate your learning is through non-lab assignments or quizzes. We will also perform “hands-on” lab assignments to better appreciate InfoSec concepts. Together these make up 55% of your grade. Finally, we will learn and explore InfoSec through a group research project worth 35% (graduate students instead work on individual research papers). This course does not have exams. Thus, your grade will be calculated as follows:
|Quizzes/Non-lab Assignments (Individual work)
Lab Assignments (Individual work)
|Research Project (Team work, undergrads only) OR
Individual Research Papers (Graduate Students only)
|Maximum Possible Final Score:||100%|
Letter grades will not be assigned to individual components of the course. Only points (numeric scores) will be assigned. These scores will be combined into a Final Score (a Weighted Total) out of 100, rounded to one decimal place. Depending on this final score, your overall letter grade for this course will be determined as follows.
|Final score ranges and corresponding letter grades|
Attendance (10% of overall grade)
It is extremely important you attend all class periods. This material becomes unwieldy when a student has missed a class or two. I will allow excused absences only for extenuating circumstances (illness, family emergency, etc.)
Quizzes / Non-lab assignments
During this semester, I will assign up to four (4) quizzes / non-lab assignments combined.
- Some quizzes carry more weight toward your final grade than others.
- Quizzes will be either in-class or through Canvas. Some in-class quizzes may be unannounced
- Online quizzes will be turned in through Canvas. Submission deadlines will be listed on each online quiz. Late submissions will receive deductions of 10% for each 24 hour period after the due date until no points remain.
It is imperative that we get as much “hands-on” exposure to InfoSec fundamentals as possible. We will be able to devote only limited class-time for lab exercises. Thus, I will assign up to six (6) lab assignments during this semester to be completed as homework.
- Students will work individually on lab assignments
- Some lab assignments could be completed on the student’s personal computer
- Some lab assignments are to be completed within the dedicated Virtual Lab created for this course. I will provide detailed instructions on how to access this lab and work safely. Access to this lab is contingent upon acceptance of lab usage policies.
- I will provide detailed descriptions of the lab tasks on Canvas and make relevant announcements. In some instances, I will also provide demonstrations. However, the goal is to let students “get their hands dirty” and “figure things out”!
- Lab assignment reports will be turned in through Canvas. Submission deadlines will be listed on each assignment. Late submissions will receive deductions of 10% for each 24 hour period after the due date until no points remain.
VERY IMPORTANT NOTE: Please be mindful that the tools and techniques we will learn are NOT TO BE USED OUTSIDE the Cybersecurity Lab and the “sandboxed” environment created in it. Most of these techniques are illegal when carried out in the “real world” without explicit permission from the entity you are “hacking” for penetration testing purposes. YOU HAVE BEEN WARNED. When in doubt, please contact me beforehand.
Undergraduate Students Only - Team Research Project (35% of your overall grade)
A team-based research project will be another important aspect of this course. As mentioned earlier, InfoSec is a vast field. This course essentially surveys this field and “scratches the surface”. However, it is important that students explore a specific topic in depth. Toward this end, students will engage in a focused research project on a particular topic of interest. I will provide guidance on potential topic areas based on the backgrounds and future plans of students. I will also provide guidance on conducting research.
- Students will work in (self-selected) groups of four (one or two groups may have five students).
- Students will finalize group membership by the second/third class-period at the latest. Visit Canvas/Groups and add your names to a group number (group 1, group 2 etc.). Your presentation date depends on your group number (see course schedule below).
- In full consultation with the instructor, students should ideally finalize a topic area by the end of third week of class. This is an iterative process and you may go through a few topics before settling on one.
- Each team will make a comprehensive presentation to the class during the last two weeks of class.
- Each team will provide a written research paper
- I will provide a detailed Research Project Description and Guidelines document
Graduate Students Only – Individual Research Papers (35% of your overall grade)
While undergraduate students work in teams, graduate students will have the opportunity to engage in individual research on a topic germane to their particular backgrounds and interests with respect to information security. The outcome will be a well written and methodologically sound research paper. Note: This will not be a “simple term paper” but hopefully the beginning of a well designed and implemented research project that draws on primary or secondary data. The goal is to submit each student’s paper to an academic or practitioner journal/conference for publication. It is important that graduate students learn how to conduct and publish basic research. I will provide very detailed guidelines and help to each student and do my best to develop each student’s research paper into something that is publishable. Graduate students must see me early in the semester and preferably every week to work on their projects.
Academic Honesty Guidelines: (from Academic Affairs website, Updated April, 27 2010)
Students at the University of Missouri-St. Louis are expected to exhibit the highest standards of academic integrity. An act of academic dishonesty is an offense against the university. For that reason, university rules prescribe disciplinary consequences for academic dishonesty administered by the Office of Academic Affairs, as well as academic consequences assessed by the faculty member. For a description of what constitutes “Academic Dishonesty” and for procedures followed by the University and by faculty members, please refer to: http://www.umsl.edu/services/academic/policy/academic-dishonesty.html
I expect students to be attentive in class and positively contribute to class discussions. Please refrain from using computers/mobile devices for anything other than classwork and avoid all other distractions.
Remember, paying attention is the first step toward learning. In general, “multitasking” while learning is probably not going to work. (https://www.google.com/?gws_rd=ssl#q=multitasking+while+learning). Further, without actual learning taking place it will be very difficult for you to “connect the dots” (i.e. connecting different things you learn to create even better/bigger picture understanding of phenomena).
Overall, for your own sake, please pay attention to classwork. You will learn better!
- I will make announcements on Canvas. I strongly encourage you to visit this course under Canvas regularly for important updates and documents.
- Please check your UMSL email account regularly for information/updates regarding this course.
Please see the Modules section for a tentative week-by-week schedule for readings and in class work. You will see a summary of assignments below. More assignments may be added as the semester progresses (see course announcements regularly).
The syllabus page shows a table-oriented view of the course schedule, and the basics of course grading. You can add any other comments, notes, or thoughts you have about the course structure, course policies or anything else.
To add some comments, click the "Edit" link at the top.