First term, core module.
Aims
This module will emphasise the need
for good security management. Its aims are to identify the problems
associated with security management and to show how various (major)
organisations solve those problems.
Objectives
On completion of the module, the student
will appreciate the complexities of security management, and have
seen how some companies attempt to solve these problems.
Outline of syllabus
There will be 11 sessions lasting about
3 hours. Most sessions will consist of 2 parts:
(a) a
lecture lasting from one to one and a half hours given by an outside
industrialist and
(b) a
discussion lasting from one to one and a half hours on the topics
discussed in the lecture led by the academic staff member responsible
for the module.
Examples of recently covered topics
are:
Provisional syllabus
Why Security?
Henry Beker (Visiting Professor)
Security Architectures as a Strategic
Planning Tool
Gerry Cole (CSS Ltd)
BS7799 - Information Security as
Business Benefit
Mike Usher (Prudential)
The Role of Audit in Security Management
Chris Potter (Pricewaterhouse Coopers)
Telecommunications and Electronic
Commerce
Richard Horne (Global Crossing)
Risk Analysis and CRAMM
Ian Glover & Steve Daniels (Insight Consulting)
Business Continuity Planning -
A Safety Net for Business
David Spinks (AEA Technology)
Building a World Class Info. Sec.
Management Framework for the Next Millennium Company Infrastructure
David Lacey (Consignia)
The Regulatory Environment
Chris Amery (Independent)
IT Security Management in the Real
World
Mark Waghorne (Predictive)
Security Management - Trying to
Put Theory into Action!
Charles Brookson (DTI)
It is anticipated that future programmes
will be similar.
Method of examination
Written examination
First term, core module.
Aims
The approach of this module is non-technical.
The main objective is to introduce the students to the main types
of cryptographic mechanism, to the security services which they can
provide, and to their management, including key management. The mathematical
content of this module is minimal. Tutorial support for the elementary
mathematics needed for this module will be provided if required.
Objectives
At the end of this module you should
be able to:
- Explain exactly what cryptography
can be used for
- Appreciate the differences between
various types of cipher system and in which situations they are
most usefully employed
- Identify the issues that need to
be addressed when assessing what types of cryptographic mechanism
are necessary to "secure" an application
- Describe several basic cryptographic
mechanisms for providing each of the core security services
- Identify the limitations of cryptography
and how to support it within a full security architecture
Students completing this module should
not expect to be able to design algorithms.
Provisional syllabus
Cryptographic techniques:
An introductory overview of the aims and types of cryptographic methods.
Level of security - cover time and key exhaustion.
Key management: Methods of
managing keys for symmetric algorithms.
Stream ciphers: The one time
pad. Pseudo-random key streams - properties and generation.
Block ciphers: Confusion and
diffusion. Iterated ciphers - substitution/permutation. The Feistel
principle. DES, AES, Modes of operation.
Public key cryptosystems:
One-way functions and trap-doors. Diffie-Hellman key exchange. RSA.
El Gamal cryptosystem.
MACs: Using DES. Hash-based
MACs.
Entity Authentication/Identification:
Protocols. Challenge/response.
Digital signatures: Digital
signature methods - arbiters. Hash functions. SHA-1. DSS. Certificates.
Public Key infrastructures:
Key management techniques for asymmetric cryptography. X.509 certificates.
Directories. Revocation and CRLs. CA interworking.
There will also be a discussion of
related legal and national policy issues.
Method of examination
Written examination
First term, core module.
Aims
This module is concerned with the protect-ion
of data transferred over commercial information networks, including
computer and telecommunications networks. After an initial brief study
of current networking concepts, a variety of generic security technologies
relevant to networks are studied, including user identification techniques,
authentication protocols and key distribution mechanisms. This leads
naturally to consideration of security solutions for a variety of
types of practical networks, including LANs, WANs, proprietary computer
networks, mobile networks and electronic mail.
Objectives
At the end of the module students should
have gained an understanding of the fundamentals of the provision
of security in information networks, as well as an appreciation of
some of the problems that arise in devising practical solutions to
network security requirements.
Provisional Syllabus
Introductory network concepts:
The OSI model and an introduction to computer networks. Example networks
and protocols (LANs and IEEE 802, Internet and TCP/IP, ADSL, Cable).
Introductory network security concepts:
The concepts of security threats, security services and security mechanisms
(as in ISO 7498-2). Overview of security for LANs, MANs and WANs.
Network management security:
SNMP security.
Identity verification: Use
and storage of conventional passwords. Biometric techniques.
Authentication and key distribution:
The Kerberos protocol.
Secure protocols: IPsec and
Virtual Private Networking, SSH, SSL/TLS.
Network defences: Firewalls
and intrusion detection systems, and the threats they counter.
Electronic mail security:
Basic e-mail security, Pretty Good Privacy (PGP) and S/MIME.
Wireless security: 802.11
and Bluetooth.
Mobile communications security:
Security in GSM and 3G systems.
Method of Examination
Written examination.
First term, core module.
Aims
This course deals with the more technical
means of making a computing system secure. This process starts with
defining the proper security requirements, which are usually stated
as a security policy. Security models formalise those policies and
may serve as a reference to check the correctness of an implementation.
The main security features and mechanisms in operating systems will
be examined as well as security related issues of computer architecture.
Specific well-known operating systems are then studied as case studies.
Other areas investigated include the security of middleware, software
protection and web security.
Objectives
On completion of this course students
should be able to:
- Demonstrate an understanding of
the importance of security models with reference to the security
of computer systems.
- Describe the features and security
mechanisms which are generally used to implement security policies.
- Provide examples of the implementation
of such features and mechanisms within particular operating systems.
- Display a breadth of knowledge of
the security vulnerabilities affecting computer systems.
- Demonstrate an understanding of
the main issues relating to Web security in the context of computer
systems.
Provisional syllabus
MSc Lab Security: An examination
if the security features of the computing environment in the MSc Laboratories.
Concepts and Terminology:
Security: confidentiality, integrity, availability; reliability; security
policies; security models.
Access Control: Mandatory
and discretionary access control, capabilities, access control lists,
intermediate controls, lattice models, multilevel security.
Security Models: Information
flow; Bell-LaPadula model, basic security theorem; integrity models.
Implementation of Mechanisms:
Security mechanisms in operating systems, memory management, memory
protection, logical protection.
Case Studies: Linux, RACF,
Windows 2000, Smartcards.
Web Security: Browser security,
server-side includes, cookies, mobile code, malicious code, Java security,
software protection.
Middleware Security: Distributed
security, CORBA security.
Method of Examination
Written examination.
