“Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't use a computer without wondering about the security vulnerabilities. They just can't help it.”

Bruce Schneier

Course ID Credits Schedule Lecturers
00153 6 First semester

Prof. dr. Eric Verheul

(HG02.049)

Eric Verheul
Dr. Klaus Kursawe

(HG02.071)

Klaus Kursawe
Drs. Gerhard de Koning Gans

(HG02.066)

Gerhard de Koning Gans

Contents

  1. Description
  2. Objectives (leerdoelen)
  3. Teaching methods (werkvormen)
  4. Examination
  5. Detailed schedule & assignments
  6. Alternative assignment for Kerckhoffs students
  7. Reference of material used in the course
  8. Locations & times
  9. Contact

Description

Information security deals with the preservation of the confidentiality, integrity and availability of information. The leading standard on information security is ISO 27001 that defines the notion of a Information Security Management System (ISMS). This is a means for the management of an organization to be in control of the information security risks. Fundamental within ISO 27001 is that information security is considered to be a ‘process’ and not a ‘product’ one can simply buy. The process allows management to ensure that others within their organization are implementing security controls that are effective.

One of the difficulties of the information security process is its multidisciplinary nature: it needs to grasp security requirements from the organization business processes (where the managers typically are not savvy on information security) and to translate them to security controls. These controls can be of various types, e.g. procedural, organizational, relating to personnel security, physical, ICT technical, cryptographic or legal. Moreover, the information security process needs to check that the operational effectiveness of the chosen controls is satisfactory and to adapt the controls (or the surrounding framework leading to the controls) if required.

Within the course the information security process is explored both from a theoretical and a practical level never loosing sight of the computer science perspective. To this end the course also has several ‘hands-on’ exercises including conducting a Windows EDP audit, a network audit and a network penetration. The course provides the basic information on information security required by the security officer of an organization, by IT security auditors and by IT security consultants. As information security is still a rapidly evolving topic (I might argue it is even still in its infancy) the course can also provide inspiration for further scientific research in the field.

Objectives (leerdoelen)

Teaching Methods (werkvormen)

Examination

To successfully pass the exam the student has to fulfil the following two conditions:

  1. Having carried out all the practical (‘hands-on’) tutorials. Each tutorial is accompanied with a question list to be answered (indicating that the tutorial is carried out). Although it is probably most convenient for the student to carry out the tutorial during the corresponding ‘werkcolleges’ this is not strictly necessary. The tutorials can also be carried out outside the werkcolleges as long as the filled in question list is provided to Gerhard de Koning Gans before the deadline. The student does not get a mark for the answers other than ‘(un)successfully concluded’.
  2. An average outcome of a 6 or higher of both the assignments during the course and the written exam at the end of course. If both parts (assignments and exam) of the examination have been completed in time, the final mark will be the average of the two averages, provided the outcome of the exam is at least 5.0. If the result of the exam is lower than 5.0, the final mark will be equal to this result.

Detailed schedule & assigments

# Date Subject (to access the slides you need to login on Blackboard first) Reading literatur ('N' is non-compulsory) Lecturer Issued Assignment / Tutorial 'zelfstudie' Remarks / deadlines
1 30 August

10:30 -12:30

{w35}

Introduction to information security based on ISO 27001/27002 [Slides][FIPS199] [ISO 27001]

[ISO 27002]

[Ach27001]

[Security Engineering]

[Management Issues]

[COBIT] (N)

prof. dr. E.R. Verheul Assignment #1: Some simple cases on information security. 4 Deadline (3 weeks later): September 20
2 6 September

10:30 -12:30

{w36}

Practical implementation of ISO 27001 / 27002 [Slides] [ISO 27001]

[ISO 27002]

[Ach27001]

[ISO_WEB] (N)

prof. dr. E.R. Verheul Assignment #2: drafting an IS policy 56 Deadline: end of course (10 January 2011)
3 13 September

10:30 -12:30

{w37}

Information security risk assessments [Slides] [ISO27005]

[SP800_30]

[Physical Protection] (N)

prof. dr. E.R. Verheul Assignment #3: a simple risk assessment.

Spreadsheet (ods, xls)

16 Deadline (3 weeks later): October 11 2010
4 20 September

10:30 -12:30

{w38}

Business Continuity management [Slides] [HistoryBCDR] drs. P.A. Hoogteijling RE CISA MBCI -
5 27 September

10:30 -12:30

{w39}

Introduction to Smartcard security [Slides] [Tamper Resistance] dr. E. Poll -
6 4 October

10:30 -12:30

{w40}

Legal aspects of information security: privacy & cybercrime [Slides, Slides] [WBP]

[Guidelines]

Ch. 2 of

[GC_KLPD]

C.P.H. de Bie MSc

drs. E. König

Assignment #4: Asking organizations what kind of privacy related info they have on you. 12 Deadline: end of course (10 January 2011)

Lecture and tutorial not compulsory for Kerckhoffs students; they need to do an alternative assignment instead.

7 11 October

10:30 -12:30

{w41}

Technical security (network, OS, webserver)

Webapplication security [Slides]

drs. G. de Koning Gans Tutorial #1: internet security 8 Exercise lecture in HG00.075!

Deadline (3 weeks later): 1 November 2010

Lecture and tutorial not compulsory for Kerckhoffs students; they need to do an alternative assignment instead.

8 18 October

10:30 -12:30

{w42}

Electronic signatures [Slides] [ES_Directive]

[ETSI_TS_101_456]

[HAC] (N)

[NIST_KEY] (N)

prof. dr. E.R. Verheul -
- 25 October

10:30 -12:30

{w43}

Autumn holiday - - -
- 1 November

10:30 -12:30

{w44}

Autumn holiday - - -
9 8 November

10:30 -12:30

{w45}

Information security in software development [Slides][XBOX][ARIANE] - dr. K Kursawe -
10 15 November

10:30 -12:30

{w46}

Economics in information security [Slides] - dr. K Kursawe -
11 22 November

10:30 -12:30

{w47}

Trusted computing and Puffs [Slides] - dr. K Kursawe -
12 29 November

10:30 -12:30

{w48}

EDP audit & certification [Slides] [TTP.NL scheme]

[CC part 1]

[System Evaluation and

Assurance]

[CC part 2] (N)

[CC part 3] (N)

[CEM] (N)

prof. dr. E.R. Verheul Assignment #5: performing a simple Windows audit 8 Deadline: end of course (10 January 2011)

Exercise lecture in HG00.075!

13 6 December

10:30 -12:30

{w49}

Theme #1: pseudonimization of personal data [Slides] - prof. dr. E.R. Verheul -
14 13 December

10:30 -12:30

{w50}

Theme #2: Human aspects in security

[Slides]

- dr. K Kursawe -
- 20 December

{w51}

Christmas holiday - - -
- 27 December

{w52}

Christmas holiday - - -
- 24 January 2011 exam - - - Exam

Time:

10:30 (Strict!) - 12:30

Location:

EXAMENZAAL - Building with big tower behind the Huygens building

- 11 March 2011 re-exam - - - Time:

10:30 (Strict!) - 12:30

Location:

HG00.308

- - - - - - Total: 104 hours

Alternative assignment for Kerckhoffs students

As there is some overlap between this course and the courses that are part of the Kerckhoffs curriculum, Kerckhoffs students are not obliged to do Assignment 4 and attend some lectures (cf. the planning above). Alternatively Kerckhoffs students need to do an alternative assignment in which they need to perform a technically oriented risk assessment.

The deadline for this assignment is the end of the course (10 January 2011).

Reference of material used in the course

Ref Description
[ISO27000] Information technology —Security techniques —Information security management systems —Overview and vocabulary, ISO, 2009, available from www.iso.org
[ISO27001] Information technology — Security techniques — Information security management systems — Requirements, ISO, 2005, available from www.iso.org and accessible in the office of Gerhard de Koning Gans .
[ISO27002] Information Technology—Security Techniques—Code of Practice for Information Security Management, ISO, 2005, available from www.iso.org and accessible in the office of Gerhard de Koning Gans.
[ISO27003] Information technology — Security techniques — Information security management system implementation guidance, ISO, 2010, available from www.iso.org.
[ISO27004] Information technology —Security techniques —Information security management —Measurement, ISO, 2010, available from www.iso.org.
[ISO27005] Information technology - Security techniques - Information security risk management, ISO, 2008, available from www.iso.org and accessible in the office of Gerhard de Koning Gans.
[ISO27006] Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems, ISO, 2007, available from www.iso.org.
[ISO27799] Health informatics - Information security management in health using ISO/IEC 27002, ISO, 2008, available from www.iso.org.
[NEN7510] Health Informatics - Information security in the Healthcare Sector – General. In Dutch. Available from www.nen.nl.
[NEN7511-1] Health informatics - Information security in the healthcare sector - Specification for use of NEN 7510 in complex organisations, 2005. In Dutch. Available from www.nen.nl.
[NEN7511-2] Health informatics - Information security in the healthcare sector - Specification for use of NEN 7510 in cooperating practices, 2005. In Dutch. Available from www.nen.nl.
[NEN7511-3] Health informatics - Information security in the healthcare sector - Specification for use of NEN 7510 in one-man practices, 2005. In Dutch. Available from www.nen.nl.
[NEN7512] Health informatics - Information security in the healthcare sector - Basis for trust for exchange of data, 2005. In Dutch. Available from www.nen.nl.
[NEN7510HB] Handboek NEN 7510, 2005. available from http://www.digitalezorg.nl/nen7510/download/Handboek_NEN_7510_versie_1-0.pdf
[Ach27001] How to Achieve 27001 Certification, Sigurjon Thor Arnason, Keith D. Willett, Auerbach publications, 2008. Available from http://www.netbks.com/. Local copy here.
ISO-WEB www.iso27001security.com
National Institute of Standards and Technology (NIST), publications available from www.nist.gov
[FIPS199] Standards for Security Categorization of Federal Information and Information Systems, FIPS Publication 199.
[FIPS200 ] Minimum Security Requirements for Federal Information and Information Systems, FIPS Publication 200.
[SP800-12] An Introduction to Computer Security: The NIST Handbook, SP 800-12.
[SP800-18] Guide for Developing Security Plans for Information Technology Systems, SP 800-18.
[SP800-30] Risk Management Guide for Information Technology Systems, SP 800-30.
[SP800-39] Managing Risk from Information Systems: An Organizational Perspective, SP 800-39.
[SP800-53] Recommended Security Controls for Federal Information Systems and Organizations, SP 800-53.
[SP800-53A] Guide for Assessing the Security Controls in Federal Information Systems, SP 800-53A.
[SP800-55] Performance Measurement Guide for Information Security, SP 800-55.
[SP800-61] Computer Security Incident Handling Guide, SP 800-61.
[SP800-64] Security Considerations in the System Development Life Cycle, SP 800-64.
[SP800-100] Information Security Handbook: A Guide for Managers, SP 800-100.
[SP800-115] Technical Guide to Information Security Testing and Assessment, SP 800-115.
[SP800-118] Guide to Enterprise Password Management, SP 800-118.
[SP800-600v1] Guide to Mapping Types of Information Systems to Security Categories, SP 800-60 Volume 1.
[SP800-600v2] Guide to Mapping Types of Information Systems to Security Categories, SP 800-60 Volume 2.
Organisation for Economic Co-operation and Development (OECD), publications available from www.oecd.org
[OECD1992] OECD Guidelines for the Security of Information Systems, 1992.
[OECD2002] OECD Guidance for Security of Information System and Network—Toward a Culture of Security, 2002.
Bundesamtes für Sicherheit in der Informationstechnik, publications available from http://www.bsi.de.
[BSI-ISMS] Information Security Management Systems (ISMS), BSI Standard 100-1
[BSI-GM] IT-Grundschutz Methodology, BSI Standard 100-2
[BSI-RA] Risk Analysis based on IT-Grundschutz, BSI Standard 100-3
[BIS-GC] IT-Grundschutz Catalogues (http://www.bsi.de/english/gshb/download/index.htm)
Electronic Signatures / Cryptography
[HAC] Handbook applied cryptography, A. J. Menezes, P.C. van Oorschot, S. A. Vanstone, 1996. Freely obtainable from http://www.cacr.math.uwaterloo.ca/hac/
[ES Directive] English:

DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 13 December 1999 on a Community framework for electronic signatures (European Directive for Electronic Signatures).

Local copy here.

Dutch:

RICHTLIJN 1999/93/EG VAN HET EUROPEES PARLEMENT EN DE RAAD

van 13 december 1999 betreffende een gemeenschappelijk kader voor elektronische handtekeningen (Europese richtlijn electronische handtekeningen).

Local copy here.

[ETSI TS 101 456] Policy requirements for certification authorities issuing qualified certificates (V 1.4.3), ETSI, see http://pda.etsi.org. Local copy here.
[NIST-KEY] Recommendation for Key Management, Special Publication 800-57 Part 1, NIST, 03/2007. See http://csrc.nist.gov/groups/ST/toolkit/key_management.html
[ES Wet] Wet Elektronische Handtekening, see http://www.e-overheid.nl/thema/juridisch/handtekeningen. Local copy here.
[ES Besluit] Besluit Elektronische Handtekening, see http://www.e-overheid.nl/thema/juridisch/handtekeningen. Local copy here.
[ES Regeling] Regeling Elektronische Handtekening, see http://www.e-overheid.nl/thema/juridisch/handtekeningen. Local copy here.
[ES Certificatie] Beleidsregel aanwijzing certificatieorganisaties, see http://www.e-overheid.nl/thema/juridisch/handtekeningen. Local copy here.
[CWA 14167-01] Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements, CEN Workshop Agreement (CWA), 2003, see http://www.cen.eu. Local copy here.
[CWA 14169] Secure Signature-creation devices 'EAL 4+' , see http://www.ecp.nl/sites/default/files/TTP-NL_Scheme_version_8.1_final__June_2010_.pdf. Local copy here.
[TTP.NL schema] [Dutch] Scheme for Certification of Certification Authorities against ETSI TS 101 456, version 7, ECP.NL. Downloadable from http://www.ecp.nl/sites/default/files/TTP-NL_Scheme_version_8.1_final__June_2010_.pdf
[NIST AES] Specification for the ADVANCED ENCRYPTION STANDARD (AES), NIST, Federal Information

Processing Standards Publication 197, November 26 2001. See http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.

[NIST-Modes] Modes on operation of AES, see http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html
Legal aspects of information security: privacy & cybercrime
[WBP] Dutch Personal Data Protection Act (Wet bescherming Persoonsgegevens). Dutch version can be found on www.wetten.nl, An unofficial translation of the Dutch Personal Data Protection Act can be found on http://www.dutchdpa.nl/documenten/en_wetten_wbp.shtml?refer=true&theme=purple.
[Guidelines] Guidelines for personal data processors, Ministry of Justice, The Hague, April 2001. See http://english.justitie.nl/images/handleidingwbpuk_tcm75-28677_tcm35-15485.pdf?refer=true&theme=purple
[GC-KLPD] VAN HERKENNING TOT AANGIFTE, Handleiding Cyber Crime, GOVCERT.NL (/KLPD), 2006 available from http://www.waarschuwingsdienst.nl/download.html?f=280 Local copy here.
Miscellaneous
HistoryBCDR The History of Business Continuity and Disaster Recovery, available from

http://www.thinkbam.com/thinking/WebArticles/02HistoryofBCDR.pdf

[OWASP] OWASP Testing Guide, available from www.owasp.org.
[MS-SEC] Microsoft Security TechCenter, http://technet.microsoft.com/en-us/security/default.aspx
[NSA-SEC] NSA security configuration guides (e.g., OS, networking), available from http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml
[CCp1] Common Criteria part 1: Introduction and general model (ISO/IEC 15408-1), available from http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
[CCp2] Common Criteria part 2: Security functional requirements (ISO/IEC 15408-2), available from http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
[CCp3] Common Criteria part 3: Security assurance requirements (ISO/IEC 15408-3), available from http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
[CEM] The guidelines for the CC evaluators (Methodology for IT security evaluation) is also published as an ISO standard (ISO/IEC 18045).

This can be freely downloaded from http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

[COBIT] Control Objectives for Information and related Technology (COBIT) available from

http://www.isaca.org/cobit/.

[Tamper Resistance] Physical Tamper Resistance, Chapter 14 of Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson, First Edition, John Wiley & Sons, Inc., 2001, available from http://www.cl.cam.ac.uk/~rja14/Papers/SE-14.pdf
[Management Issues] Management Issues, Chapter 22 of Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson, First Edition, John Wiley & Sons, Inc., 2001, available from http://www.cl.cam.ac.uk/~rja14/Papers/SE-23.pdf
[System Evaluation and Assurance] System Evaluation and Assurance, Chapter 23 of Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson, First Edition, John Wiley & Sons, Inc., 2001, available from http://www.cl.cam.ac.uk/~rja14/Papers/SE-23.pdf
[Security Engineering] What Is Security Engineering? Chapter 23 of Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson, First Edition, John Wiley & Sons, Inc., 2001, available from http://media.wiley.com/product_data/excerpt/23/04700685/0470068523.pdf
[Physical Protection] Physical Protection, Chapter 11 of Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson, Second Edition, John Wiley & Sons, Inc., 2001, available from http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c11.pdf.
Some tools used during the course (or rather the tutorial)
[Cain-Abel] Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks. It is available from http://www.oxid.it/cain.html.
[DumpSec] DumpSec is a free security auditing program for Microsoft Windows® NT/XP/200x and available for download from http://www.somarsoft.com.
[DumpReg] DumpReg is a program for Windows that dumps the registry, making it easy to find keys and values containing a string and available for download from http://www.somarsoft.com.
[NMAP] Free network security scanner, available from www.nmap.org.
[PGP] A computer program that allows to encrypt en sign files and emails, available from www.pgpi.org.

Location & times

The courses take place at 10:30 – 12:30 in room HG 00.062. All werkcolleges take place 15:30 – 17:30 in Linnaeus 8.

Werkcolleges are not compulsory but students are advised to follow them because they allow for discussion on the assignments and they make carrying out the assignments and tutorials easier.

Exam

The final exam for Security in Organizations will take place on Monday 24th of January at 10:30 AM in 'de Examenzaal'. The Examenzaal is located in the building with the big tower behind the Huygens building. The exam consists of both multiple choice and open questions. It will be an 'open book' exam which means that you can bring any printouts of the course material. I would advice you not to bring too much since you also need time to make the exam. Anyway, if you successfully followed the course so far you probably do not need the course material.

In order to let you know what you might expect we provide you with the exam of January 18, 2010. You can find it here.

Contact

Gerhard de Koning Gans is the main contact for administrative and organizational matters; all assignments and tutorials need to be delivered to him (in time).

Deliver assignments to Gerhard's post box (in the white cabinet near the printer at the station-side-end of the corridor on the second floor of the Huygens building) or by e-mail to G.deKoningGans@cs.ru.nl with subject `assignment i' where {i} stands for the i-th exercise.