College of Business and Information Technology Mission Statement: Using a model of theory and…
College of Business and Information Technology Mission Statement: Using a model of theory and practice, the College of Business and Information Technology prepares a diverse body of domestic and international students for successful careers in a variety of organizations through interdisciplinary educational programs that emphasize analytical, technological, ethical, team work, global management, and interpersonal skills essential in an interconnected world economy. Faculty engagement in scholarly activity and service to the University, the profession, and the community complements our primary commitment to teaching and service excellence. Course Title: INT 7263, Threats, Vulnerabilities, Security Controls, & Countermeasures – CRN 1512: 3 credit hours Term: 27 August – 14 December 2018. Final Exams are the week of 17 December 2018. Please refer to the Registrar’s Calendar for the last date to withdraw and other important registration related information. Required Text and/or Course Materials:
1. Green, S.S. (2014). Security Program and Policies: Principles and Practices, 2nd edition. Pearson. ISBN 978-0789751676 2. Shostack, A. (2014). Threat Modeling: Designing for Security, 1ST edition. Wiley ISBN 978-1118809990 Available for online purchase through the LTU Bookstore
Instructor:
Name: Anne Kohnke, Ph.D. Title: Associate Professor E-mail address: akohnke@ltu.edu (best way to reach me) Meetings: Google Meet or Skype Tele: 248.204.3085 Office Room #: M320 Office hours: Mon, 2pm-5pm; Tues, 2:30pm-5:30; and Wed, 3pm-5pm; (it is highly recommended to make an appointment to ensure I am available)
Prerequisite Coursework and/or Skills:
• Graduate level INT 5024 Minimum Grade of C- and Graduate level INT 6043 Minimum Grade of C- or • Graduate level MIS 5023 Minimum Grade of C- and Graduate level MIS 6013 Minimum Grade of C-
Additional Materials:
• Windows Laptop/PC • Lynda.com, http://www.ltu.edu/ehelp/lynda.asp
Catalog Course Description: This course will introduce students to the principles of cybersecurity threats and vulnerabilities of an organization’s mission critical information assets in order to develop and implement effective security controls and countermeasures. Before an attack even occurs, organizations must strategically assess its cybersecurity risks, the likelihood and consequences of an attack, develop and prepare incident response teams and policies, develop and implement security controls and countermeasures, ensure compliance to all financial and governmental regulations, and be skilled in using the security testing tools and techniques. Students will be introduced to the methods, policies, frameworks, and security tools used to detect, respond, evaluate, and resolve computer security incidents. Course Outcomes: The course learning outcomes are aligned with the weekly course teaching and learning goals and assignments. The outcomes will be evaluated through assignments, assessments, and other methods throughout the course.
https://www.ltu.edu/registrars_office/academic-calendar-final-exam.asp
http://lawrence-tech.bncollege.com/webapp/wcs/stores/servlet/BNCBHomePage?storeId=30552&catalogId=10001&langId=-1
mailto:akohnke@ltu.edu
LTU Online INT 7263, Threats, Vulnerabilities, Security Controls, and Countermeasures
(Online) CRN 1512 Fall 2018
Page 2
The primary goal of this course is to provide an overview of cybersecurity threats and threat modeling, vulnerabilities, risk management, IT governance, security controls, and countermeasures. On completion of this course, you will be able to:
1. Understand IT Governance and the criticality of developing and implementing a comprehensive information security plan
2. Understand and create information security policies, policy elements and style, and successful policy characteristics
3. Understand risk management, identify mission critical information assets and understand how to classify data for risk assessment
4. Analyze and evaluate information security risk management frameworks, security control frameworks, libraries, and countermeasures
5. Design and develop management, technical, and operational security control policies and countermeasures for small to large complex corporate organizations.
6. Identify and understand threats and vulnerabilities to the information assets and learn the security tools to protect those assets
7. Understand and develop a comprehensive threat model 8. Understand and apply the elements of STRIDE 9. Evaluate attack trees and libraries and develop an attack tree 10. Understand how to process and manage threats and the defensive tactics and technologies used 11. Understand how to validate that threats are addressed 12. Understand discuss open source and commercial tools used in threat modeling 13. Understand and discuss security requirements 14. Examine web, cloud, and account threats 15. Examine human factors (insider threats)
Course Schedule: This fully online course begins with an online course orientation to familiarize you with the online learning environment and to establish contact with your instructor. Please complete the “Getting Started” Orientation by the first Monday of class. Each week starts on a Monday and ends on a Sunday.
Dates Modules Outcomes Topics / Readings Assignments Due Prior to August 27 Week of 8/27 – 9/2 No Classes 9/3- Labor Day Holiday
Module 0 Module 1 (Note: more than one module may be combined due to holidays and topics)
1 Welcome from the Instructor- Overview of the syllabus Chapter 1, Understanding Policy Chapter 2, Policy Elements and Style
Assignment #1-(Individual) Introductions posted in Discussion Forum
Week of 3-9 Sept
Module 2 & 3
1-5
Chapter 3 Part 1 & 2, Information Security Frameworks Chapter 4, Governance and Risk Management, Information Security Controls (Technical, Operational, Management Controls)
Assignment #2- Cybersecurity Policy Case Due by end of Module 3 Week of
10-16 Sept
LTU Online INT 7263, Threats, Vulnerabilities, Security Controls, and Countermeasures
(Online) CRN 1512 Fall 2018
Page 3
Dates Modules Outcomes Topics / Readings Assignments Due Week of 17-23 Sept
Module 4 1-5 Chapter 5, Asset Management Information / Data Classification
Discussion Forum
Week of 24-30 Sept
Module 5 6-7 Chapter 1, Threat Modeling Chapter 2, Strategies for Threat Modeling
Assignment #3-Risk Assessment Case Due by end of Module 5
Week of 1-7 Oct
Modules 6 & 7
6-8 Chapter 3, STRIDE-Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege
Assignment #4 – Threat Modeling Project Part 1 Due by end of Module 7
Week of 8-14 Oct
Week of 15-21 Oct
Module 8 1-8
Midterm Exam
Week of 22-28 Oct
Module 9 & 10
6-9
Chapter 4, Attack Trees Chapter 5, Attack Libraries ADTool Attack Tree Software Installation
Assignment #5 – Threat Modeling Project Part 2 Due by end of Module 10
Week of 29 Oct-4 Nov
Week of 5-11 Nov
Modules 11 6, 10 Chapter 7, Processing and Managing Threats Chapter 8 Defensive Tactics and Technologies
Discussion Forum
Week of 12-18 Nov
Module 12 11
Chapter 9, Trade-offs When Addressing Threats Chapter 10, Validating That Threats are Addressed
Assignment #6 – Threat Modeling Project Part 3 Due by end of Module 12
Week of 19-25 Nov No Classes 11/22-23 Thanksgiving Holiday
Modules 13 12, 13
Chapter 11, Threat Modeling Tools Chapter 12, Security Requirements
Discussion Forum
Week of 26 Nov-2 Dec
Modules 14 & 15
14
Chapter 13, Web and Cloud Threats Chapter 14, Accounts and Identity
Assignment #7 – Threat Modeling Project Part 4 Due by end of Module 15
Week of 3-9 Dec
LTU Online INT 7263, Threats, Vulnerabilities, Security Controls, and Countermeasures
(Online) CRN 1512 Fall 2018
Page 4
Dates Modules Outcomes Topics / Readings Assignments Due Week of 10-16 Dec
Module 16 15
Chapter 15, Human Factors and Usability
Assignment #8 – Threat Modeling Project Part 5 Due by end of Module 16
Week of 17 Dec
Finals Week 1-15 Final Exam
Student Assessment: The course has a total of 8 individual assignments, 4 discussion forums, and 2 exams totaling 440 points. Letter grades are awarded based on the total number of points achieved. All assignments must be submitted on schedule via Canvas. If you need to submit an assignment via email, contact the instructor in advance. Please refer to course policies for late work submissions. Assignments/Points:
Assignment Points Outcomes Assignments 1-8 (20 points each) 160 1-15 Midterm Exam 100 1-8 Online Participation 80 1-15 Final Exam 100 1-15 Total: 440
Grading Scale:
Grading Scale % Grade for Undergraduate Courses
Grade for Graduate Courses
95 and above A A 90 – under 95 A- A- 87 – under 90 B+ B+ 83 – under 87 B B 80 – under 83 B- B- 77 – under 80 C+ C+ 73 – under 77 C C 70 – under 73 C- C- 67 – under 70 D+ F 63 – under 67 D F 60 – under 63 D- F
Under 63 F F
Note: Grades lower than a “B” fall below the LTU graduate standard.
Assignments:
LTU Online INT 7263, Threats, Vulnerabilities, Security Controls, and Countermeasures
(Online) CRN 1512 Fall 2018
Page 5
Assignments and evaluation criteria will be provided in separate documents posted on Bb. Please review these requirements carefully. Assignments
• There will be a total of 8 Assignments and 4 discussion forums. An assignment is used to ensure that each student knows how to apply the knowledge (theory) learned in the modules to exercise (practice) the variety of topics covered. Each assignment will have a separate handout that will include instructions and due dates. Please use the naming convention for every Assignment electronic file: INT7263_Fall2018_Assignment#X_Your Name.
Exams • There will be a midterm and a final exam. The final exam will not be comprehensive of all material
covered during the term.
Course Policies: Communication:
• You are expected to participate regularly in the course. Take time to familiarize yourself with the organization of the Canvas site. Check the site frequently for new posts and/or announcements.
• All communication from LTU to students, faculty, and staff will be sent to Lawrence Tech email addresses and will not be sent to addresses in any other domain. Your LTU email is easily accessed from the www.my.ltu.edu website.
Attendance and Interaction: • It is essential that all students actively contribute to the course objectives through their experiences and
working knowledge. Participation may include actively participating in Canvas discussion forums, responding to questions posted by the instructor, and interacting positively with other students through various instructional methods and tools.
• Students who miss class cannot earn participation points—there is no extra credit. • If you miss two class sessions in a row, it is my responsibility to report your absence to the Registrar. • If you have any questions regarding your performance in the class or on graded assignments/class
materials, please contact me and I will be happy to meet with you on Google Hangouts or on Skype. • This online course will require your time and attention. A three-credit course generally requires at least
nine hours per week of time commitment. You are encouraged to create a schedule to manage your time and meet course requirements.
Assignments: • All assignments must be completed individually, except where explicitly specified as a team activity. In
completing the assignments, instructors expect that students will attempt to solve assigned problems by themselves or, if permitted by the instructor, by a group of students. Normally, instructors allow for general discussion between students about how to solve a problem. In no case, however, is it acceptable for one student to copy a solution from a peer. Copying or submitting very similar work to another student’s work will result in a zero for both students and an Honour Code Violation Form will be submitted to the Dean of Students.
Late Work: • Readings, discussion forum participation, and assignments must be completed according to the class
schedule. Late work will be reduced in value 5 points per day. After 3 days, the assignment will not be accepted.
Technology Tools:
• This course uses the Canvas Learning Environment www.my.ltu.edu and uses the following technology tools: embedded audio/video lectures, hyperlinks, discussion forums, Google Hangouts, etc. It is the student’s responsibility to have access to these tools and to be able to use them successfully.
http://ltu.edu/
http://my.ltu.edu/
http://www.my.ltu.edu/
LTU Online INT 7263, Threats, Vulnerabilities, Security Controls, and Countermeasures
(Online) CRN 1512 Fall 2018
Page 6
• Technical Support for using Canvas is provided by the Helpdesk at www.ltu.edu/ehelp, or 248.204.2330, or helpdesk@ltu.edu.
Sanctions: • Academic dishonesty includes plagiarism, cheating, forgery, or other acts that deceive or defraud in
regard to a student’s own academic work or that of others. The Dean of the College responsible for the courses in which they occur reviews questions of academic dishonesty. The usual penalty for academic dishonesty is failure in the course on the first offense, and expulsion from the University on the second offense. For more information visit Academic Honor Code at http://www.ltu.edu/currentstudents/honor_code.asp
University Policies, Services, and Information: The following LTU policies, services, and information may be found at LTU Online “Getting Started” Orientation:
• Help with Canvas and taking an online course, Netiquette, and technology accessibility statements • Minimum technical requirements and instructions for use, technical skills and special technology tools • University policies, including the Student Code of Conduct and Academic Honor Code • Student Academic Services, including the Library and the Academic Achievement Center • Student Support Services, including Disability Services, Advising, and all other university student services
Expectations of Instructor: I plan to offer you a valuable learning experience and expect us to work together to achieve this goal. It is important for you as students to know what to expect from me as your instructor:
• I will be available to you via e-mail and phone, and will promptly reply to your messages within 48-72 hours, not including the weekends.
• I will be available to you for appointments as requested. • I will maintain the Canvas web site with current materials, and will resolve any content-related problems
promptly as they are reported to me. • I will send out a weekly announcement as a guide to the upcoming work. • I will return all assignments to you promptly within two weeks, and will include individualized comments
and suggestions with each assignment. • I will hold our personal written or verbal communications in confidence. I will not post any of your
assignments for viewing by the class without requesting your approval in advance. • I will treat all members of the class fairly and will do my best to accommodate individual learning styles
and special needs. • If any of these points need clarification, or should special circumstances arise that require my assistance,
please contact me so that we may discuss and resolve the matter. • At midterm and at the end of the course, you will be invited to participate in a University evaluation of this
course. Your feedback is important to the University, to LTU Online, and to me as an instructor, and I strongly encourage your participation in the evaluation process.
http://www.ltu.edu/ehelp
mailto:helpdesk@ltu.edu
http://www.ltu.edu/ehelp/gettingstarted.asp
LTU Online INT 7263, Threats, Vulnerabilities, Security Controls, and Countermeasures
(Online) CRN 1512 Fall 2018
Page 7
Traits and Rubric to Assess Student’s Capabilities Related to Critical Thinking
Objective Trait Deficient (1–2) Competent (3–4) Exemplary (5–6) Score
Graduates can identify main problem and key assumptions
Identification of the main problem in a business situation
Student fails to identify the main problem in a business situation
Student substantially identifies the main problem in a business situation
Student comprehensively and precisely identifies the main problem in a business situation
Identification of the key assumptions surrounding a business situation
Student fails to identify the key assumptions surrounding a business situation
Student substantially identifies the key assumptions surrounding a business situation
Student identifies all the key assumptions surrounding a business situation
Graduates can evaluate the relevance of data
Evaluation of the relevance of the data
Student uses irrelevant data or ignores relevant data
Student correctly evaluates the relevance of the data
Student identifies logical data and ascertains source of irrelevant data
Evaluation of the validity of the data
Student fails to identify invalid data
Student correctly evaluates the validity of the data
Student separates valid data and ascertains source of invalid data
Graduates can present feasible solution
Ability to solve problems Student is unable to solve problems
Student solves problems in satisfactory manner
Student solves problems and provides insightful solutions
Ability to arrive at valid, supported conclusions
Student provides conclusions that are unsupported by the data
Student’s conclusions are supported by the data
Student’s solutions are supported by the data and demonstrate a deep understanding of the issues involved
Understanding of the implications of the conclusions
Student ignores implications of conclusions or generalizes beyond the scope of relevance
Student demonstrates an understanding of the immediate effects of the conclusions drawn
Student correctly generalizes conclusions to related areas affected by the issues
LTU Online INT 7263, Threats, Vulnerabilities, Security Controls, and Countermeasures
(Online) CRN 1512 Fall 2018
Page 8
Traits and Rubric to Assess Student’s Oral Presentation Skills, Master’s Programs
Objective Trait Deficient (1–2) Competent (3–4) Exemplary (5–6) Score
Graduate demonstrate mastery of communication technology.
Use of media Lack of/or misuse of media detracts from the presentation objective
Use of media supports and contributes to the presentation objective
Use of media supports, clarifies and reinforces the presentation objective
Quality of slides Misuse (not enough or too much) of colors, animations, and fonts detracts from the presentation objective
Use of media supports, clarifies, and reinforces the presentation objective
Use of colors, animations, fonts supports, clarifies, and reinforces the presentation objective
Graduate can develop and deliver a compelling oral presentation grounded in relevant information and facts.
Opening statement
Missing opening statement or statement does not introduce topic
Clear opening statement introduces topic
Clear opening statement introduces topic, captures audience attention, and sets tone for presentation
Organization Presentation is disorganized and/or not well sequenced
Presentation is organized and well sequenced with transitions. It previews and covers main points
Presentation is organized and well sequenced with smooth transitions. It previews, covers, and develops main points
Content Content is irrelevant or incorrect with no supporting evidence
Content is relevant and correct with supporting evidence
Content is relevant and correct with supporting evidence, and incorporates innovative insights
Conclusion Conclusion missing or content does not support the conclusion
Conclusion is supported by content and contains a review of key points
Conclusion is supported by content, contains a review of key points, and stimulates further inquiry with closing thought
Timing Presentation is too short resulting in insufficient coverage of material or is too long
Utilizes allotted time to provide sufficient coverage of material
Utilizes allotted time to provide sufficient coverage of material in a well-paced manner
Graduate can deliver a compelling oral presentation with clarity and appropriate poise.
Clarity of speech Inaudible or confusing, with a lack of fluency, and predominant use of sloppy speech patterns
Sufficient volume, understandable, avoids sloppy speech patterns
Modulates volume to hold audience attention. Is clear, articulate, and fluent
Engages audience Avoids eye contact, reads from slides or notes, or speaks in a monotone
Establishes eye contact Establishes eye contact and engages audience
Appearance Sloppy, inappropriate, or distracting appearance
Clean and well-groomed appearance, business casual attire
Professional attire
