COMP3371Cyber SecurityModule OutlineSemester 1 2015/16

Module Tutors: Richard Henson (module leader), Lee CampbellContact details: r.henson@worc.ac.uk, CH1005, int tel: 5397

i.campbell@worc.ac.ukAcademic Liaison Librarian: Stephanie Allen (s.allen@worc.ac.uk)Time & Venue Monday 1815-2115, CH1007

Wednesday 1315-1615, LG022Verified by: Pete MoodyElectronic copy available: Blackboard and http://staffweb.worc.ac.uk/hensonr

1. What will I be able to do when I have passed this module?

On successful completion of the module, you should be able to:

1. Critically analyse the information security issues and threats facing both users and information managers in organizations

2. Identify and analyze methods, tools and techniques for combating security threats

3. Develop an information security policy for, and provide a strategy for implementation of that policy in an organization.

4. Explain the legal issues and implications with security.

2. How will this module enhance my future employability?

This module will enable you to develop and enhance the following which are highly sought by employers:

Application of relevant knowledge: you will be able to identify security vulnerabilities and use your knowledge to propose solutions, backup up by suggestions for changes to institutional policy

Research and problem solving: you will have to solve organisational problems presented to you, through use of tools, techniques and even changes of policy if the problem can be solved no other way

Critical Analysis: planning and design of translating the basics of information security to a real organisation

Self-management: manage time appropriately to complete an assignment on a real-world scenario

Use of IT: the practical sessions on uses of security tools will give you confidence in using IT ethically to assess potential security vulnerabilities

3. How is this module relevant to my overall course?

Each module and each level of your course progressively builds toward higher order skills and capabilities that you will need to achieve the best results in life. If you do not understand how this module fits into the overall course, do discuss with your tutors/ course leaders.

4. How is this module assessed?

The assessment for this module is based on two assignments as below:

1 Report2 Report/Presentation

Further details of the assessment items and submission requirements will be notified during the module sessions.

Assessment Weighting Learning outcomes assessed

Submission Date Return Date

Assignment 1 50% 2, 3 3 pm on 12/11/15 10th December 2015Assignment 2 50% 1, 4 3 pm on 14/1/16 11th February 2016

Specialist Software requirements for assignment 2: Windows 2008 Server R2 on DVD(available to students free of charge through Microsoft Dreamspark)

Indicative Schedule

UMS Wk

w/c Lecture Seminar Reading

1 28 Sept

Why digital information needs to be carefully looked after, and why present-day organisations are often so bad at it!

Putting security into the consciousness of management though an information security policy

Information Security PolicyHumphreys pp.105-12ISO27001, PCI-DSS.IASME standards online

2 5 Oct

Technologies involved in modern computer systems, and protecting them.

External speaker on tools and techniques for forensic analysis

Security issues with people using technology Telecommunications and networking digital security issues

Research Acceptable Use PolicyHumphreys pp.113-23Penetration Testing and BYODonline resources

Forensics: Britz ch 1.

3 12 Oct

Introduction to the concept of a security “control” and the three categories of computer security: technical controls, management controls, people controls

This session will also contain an assessment briefing relating to both assignments

Discussion of methods of designing and implementing secure digital systems, and their relative suitability, and classification of controls

Research online resources on Security Controls and Information Security Standards: ISO27001, IASME, Cyber Essentials

4 19 Oct A focus on Technical controls including access control and application security. Strategic and technical needs to develop

Explore Windows access controls & other technical controls needed to achieve particular basic (Cyber Essentials) and more

Anderson ch 4 pp.93-129Technical controls and Windows Server systems

strong systems. complex (ISO27001) information security standards

Honan ch 7.

5 26 Oct

Access control categories, types and technologies (ex: passwords, biometrics, etc).Access control threats

How to implement the listed management controls on Windows systems with Active Directory…

ISC2 online resourcesHonan ch 8, 10Isaac & Isaac ch 2

6 2 Nov

Developing a security strategy to fit the needs of the organisation

Implementing a security policy

Honan ch 2

7 9 Nov

Penetration testingIntrusion detection and prevention

Types of penetration testing, practice at non-intrusive methods

Hand in ofassignment 1 (12th November, 3 pm)

8 16 NovWBS Future Week and Awards Ceremonies

Start work on assignment 2…

9 23 Nov

CIA (Confidentiality, Integrity, Availability)

Managing & protecting DataSocial engineering awareness

Honan ch 3

Mitnick ch 3

10 30 Nov

Management controls: risk management

Information Risk Assessment, mitigation, and management tools/techniques

Freund & Jones, ch 2.

11 7 Dec

Legal, Regulations, Compliance and Investigations

Explore legal issues relating to privacy, deception, computer misuse & misuse of security tools

Britz ch 9

14 Dec Christmas vacation21 Dec28 Dec

13 4 Jan

Application SecurityMalwareSoftware protectionAudit and assurance mechanismsWeb applications environment

Creating and configuring a simple firewallSecure web application for client-server use in a Windows environment (Intranet, Externet, via secure path on Internet)

Anderson ch 21.Firewalls & antivirus software available on the world wide webOnline resources on Windows 2008 Server Honan ch 9

14 11 Jan

Business Continuity Planning.

A plan for testing the system against typical hazards. Testing the plan…

Hand in of assignment 2 (14th January, 3 pm)

15 18 Jan Assessment week for Semester 1 modules

Specific support for your assignments is also provided via Richard Henson’s website http://staffweb.worc.ac.uk/hensonr and other on-line resources available via his website.

5. What reading should I do for this module?

Course texts:

Freund J & Jones J, (2014), Measuring and Managing Information Risk: A FAIR Approach, Butterworth-HeinemannAnderson R, (2008), Security Engineering: A Guide to Building Dependable Distributed Systems (2nd Edition), Wiley

Other Important readingBritz, M.T. (2013) Computer Forensics and Cyber Crime: An Introduction, London: Prentice Hall.Calder A, (2015), IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 – 6th ed., Kogan PageHerold R. (2011) Managing an Information Security and Privacy Awareness and Training Program, 2nd edition, Auerbach PublicationsHonan B, (2014), ISO27001 in a Windows Environment, 3rd Edition, ITGP.Humphreys E, (2007), Implementing the ISO/IEC 27001 information security management system standard, Artech HouseIsaac S, Isaac M, (2003), The SSCP Prep Guide: Mastering the Seven Key Areas of System Security, WileyKaeo, M. (2010), Designing Network Security, Cisco PressKaramanian, A., Tenneti, S., & Dessart, F. (2011) PKI Uncovered, Pearson EducationMcClure S, Scambray J, Kultz G, (2012), Hacking Exposed 7: Network Security Secrets and Solutions, McGraw-Hill OsborneMitnick K, & Simon W (2003), The Art of Deception: Controlling the Human Element of Security, WileyNewman, R. (2010), Security and Access Control Using Biometric Technologies, 1st edition, Cengage Learning Schneiter, A., Tipton, H. & Hernandez, S. (2013) Official (ISC2 Guide to the CISSP CBK, Third Edition: Information Security Governance and Risk Management, Auerbach Publications.Singer, P.W. and Friedman, A. (2014) Cybersecurity and Cyberwar: What everyone needs

to know, New York: OUP USA.Stewart, M.J. (2013) Network Security, Firewalls and VPNs, 2nd edition, Jones and Bartlett

Learning.Syngress, (2003), SSCP Systems Security Certified Practitioner Study Guide and DVD

Training System, SyngressTipton, H. (2012) Information Security Management Handbook, 6th edition, CRC Press. Whitman, M. (2011) Hands-On Information Security Lab Manual, 3rd edition, Cengage

Learning Whitman, M., Mattord, H. & Green (2011) Guide to Firewalls and Network Security, 3rd

edition, London: Cengage Learning.

Web SitesMany web sources cover information security. Examples: ISC2 SSCP & CISSPhttps://www.isc2.org/sscp/default.aspx https://www.isc2.org/cissp/default.aspx

What Students love about this module:This is a new module. It grew out of two previous modules: Internet Security and Information Security. Students liked exploring the issues, using the tools and applying their knowledge to simulated and real scenarios.

Previous feedback from this module n/a, new module

It is worth pointing out that the feedback you provide for a new module is particularly important. We do our best to think of everything first time around, but no-one is perfect! This (below) is an extract of how the grid might appear next year…

Action from student feedback

Action Point ProgressBlah, blah, blah… Course text changed, September 2016

Harvard Citing and Referencing GuideAvailable at http://www.worc.ac.uk/ils/documents/Harvard_referencing.pdf

Procedures for Dealing with Exceptional Mitigating Circumstances Available at http://www.worcester.ac.uk/registryservices/679.htm

Professional Code of Practice and ConductIn order to enhance your future employability as well as the quality of your learning experience, this module seeks to encourage professional behaviour in class, which echoes professional standards in the workplace. Full details of the School’s Professional Code of Practice and Conduct can be found on Blackboard.

SustainabilityThe University of Worcester is committed to addressing sustainability in its broad sense as reflected in the University Strategic Plan (to 2018) as an area of Distinction. Do consider this in the actions taken in the modules and generally in campus life.

6. Key Questions to help you achieve good results?

Throughout the year, it is important for students to ask themselves the question – is my potential being fulfilled? (see below. You might want to tick the answer column at the right)

Am I challenging myself and others around me?Have I prepared early and managed my assessment workload?Have I prepared for my seminars and lectures to contribute to the learning experience for my peers and tutors?Have I adequately used and understood feedback through discussions with my academic tutor, other tutors?Do I understand what the expectations are of me at this level? (Each level from 1st year UG to PG is different)When in doubt, did I seek guidance/clarification - about the module, assessment, the year, in a timely manner?

What Students love about this module: In previous incarnations of the module they particularly enjoyed using the various tools and techniques available, and understanding how organisations can manage cyber security

Harvard Citing and Referencing GuideAvailable at http://www.worcester.ac.uk/ils/documents/Harvard_referencing.pdf

Procedures for Dealing with Exceptional Mitigating Circumstances Available at http://www.worcester.ac.uk/registryservices/679.htm

Professional Code of Practice and ConductIn order to enhance your future employability as well as the quality of your learning experience, this module seeks to encourage professional behaviour in class, which echoes professional standards in the workplace. Full details of the School’s Professional Code of Practice and Conduct can be found on Blackboard.

SustainabilityThe University of Worcester is committed to addressing sustainability in its broad sense as reflected in the University Strategic Plan (to 2018) as an area of Distinction and in its national reputation in the top five of the People & Planet University League - http://peopleandplanet.org/green-league-2013/tables. Do consider this in the actions taken in the modules and generally in campus life.

APPENDIX - FREQUENTLY ASKED QUESTIONS

Learning & Teaching Issues:

Q: How will this module be taught?A: Sessions will usually consist of a range of tutor and student inputs and demonstrations, followed by a workshop. These may include: group discussions, presentations, practical activities, reflective summaries, peer and tutor feedback. There will also be guest speakers, followed by a Q&A. In addition, links from my website http://staffweb.worc.ac.uk/hensonr will enable discussion outside the formal class hours and form a repository for all module materials. You will be expected to practice the skills learned and participate in private research between the formal sessions. There will be tutorial sessions where guidance can be sought.

Q: What resources are available to support this module?A: The range of sources includes:

The Blackboard Learning System – where you will find module, course and other useful information from your tutors, student academic representatives (StARs) and librarian. You will find a link from the module blackboard page to RH’s website

My website... This is easily accessible using the URL (http://staffweb.worc.ac.uk/hensonr) or more simply by typing the surname into Google and following the appropriate link.

Software – software relating to module activities will be available to download and downloading instructions will be given.

Library Resources - The University of Worcester Library search tool ‘Library Search’ provides you with free access to several million books, journal and newspaper articles, market reports, conference papers and more through a single search box. These resources are not accessible through freely available search engines, such as Google.  Access ‘Library Search’ by logging into the Student Portal and selecting ‘Library Search’. Alternatively go direct to your Computing LibGuide http://libguides.worc.ac.uk/computing - these guides include ‘Library Search’ plus lots more useful guidance to help you with your research.   It is important that you read and critically evaluate the resources you find, so that you are informed about, and can debate, key academic arguments.  Used wisely and appropriately, Library resources, both print and electronic, will enhance your learning and help you improve your results. Make sure you use them! For further help and guidance email the general library enquiry service askalibrarian@worc.ac.uk or contact your Academic Liaison Librarian, Stephanie Allen s.allen@worc.ac.uk .  You can also ask at the enquiry desk on level 3 in The Hive.

Q: What equal opportunities arrangements are available?A: If you have any particular or additional learning needs, please feel free to speak with the module tutors, who will be pleased to help you. University of Worcester is committed to ensuring that disabled people, including those with learning difficulties, are treated fairly. Should you have any disability or condition that the tutor should know about, tutors will make every effort to accommodate any particular needs, so long as they are made aware of them. You will find additional useful information on the Disability and Dyslexia webpages at http://www.worcester.ac.uk/student-services/disability-and-dyslexia.htm

Assessment & Feedback:Q: Will assessment criteria be made clear in advance? Yes. Worcester Business School introduced grading matrices to ensure that every module provides at least a full page of guidance but also a full page plus additional written comments of feedback to help you to improve. If in doubt speak with your academic tutor as they can see all your results over the years.

Q: How do I know that assessment arrangements and marking have been fair? There are well established procedures to ensure all students are treated fairly – all assessments are written by module leaders before the start of year, checked by an independent academic staff, made available to external examiners, grading matrices and assessment briefs are provided very early in advance of deadlines to students. In terms of marking, we have e-submission and anonymous marking. There are also many processes that are in place - a sample of work is moderated by a different academic than the marker, many staff choose to blind pre-moderate the same sample of scripts also, a sample of scripts are sent to the External Examiner (from another university) and then they are considered by an exams board. These are only some examples to assure you that the process is fair.

Q: How prompt is feedback on my work? Students receive feedback all the time in class, in emails in group discussions etc. They also receive on submitted work as the University requirement is that you receive back in 20 working days from the time you submit. Q: How will I get feedback about my work? Feedback can take many forms, but each can be used to improve your performance. Some of the different types of feedback include:

Generic feedback from tutors covering particular strengths/weaknesses found in the work of a particular student group (by email, in class, electronic forms (e.g. videos, blogs, narrated slides etc).

Comments from other students about your work (peer feedback) written and spoken (in class, 1-1, in groups).

Verbal comments from your tutor/peers associated with your work (while discussing in class (e.g. ideas you are thinking about), in seminars/ groups (e.g. Q&As, debates), 1-1 conversations).

Written comments from your tutor (by email answering questions, on the virtual learning website (e.g. Blackboard) providing responses to student queries, usually attached to your assignments).

A: You will receive feedback throughout the module via give details as appropriate (e.g. formative assessments, group discussions, mock exams, seminar activities, etc., etc.). Marks and comments on your coursework assignments are normally provided electronically via SOLE within 20 working days of hand-in date.

Please refer to the link below to the Student Feedback Charter with some good ideas on how to improve your grades using feedback:http://www.worcester.ac.uk/registryservices/documents/StudentFeedbackCharter.pdf

Q: How can I learn to improve?A: The following resources will help you to optimise your grade potential:

Your assignment feedback, which will help to clarify areas you can improve in future assessments.

Your Academic Tutor is the only person who has see how your studies are progressing across all modules and years. They can locate strengths across modules and areas for improvement. They will work with you to develop strategies to address any of these areas. Module tutors can only see their own module. You should arrange to meet regularly with your Academic Tutor. You will have time at Induction

to meet your tutors and also be sent reminders over the academic year. Ensure you get the full benefit of this important aid to your learning.

The Study Skills Advice Sheet available at ‘Using feedback to improve your work’ offers some helpful tips and checklist. This is available at http://www.worcester.ac.uk/studyskills/documents/Using_feedback_to_improve_your_work_2012.pdf

Q: What advice do you have about how to write, reference and present my work in order to obtain the best possible grade?A: You will be graded on the quality of your writing as well as the content. This will include

The ability to present your material in an appropriate format (report, essay etc) The ability to present your work in grammatically correct English (sentences,

paragraphs, apostrophes etc) The correct use of references based on the Harvard system – see guide available at

http://www.worcester.ac.uk/ils/documents/Harvard_referencing.pdf A hard copy of this guide is available in the Library.

Poor English and referencing can lose you up to two grade points per assignment (this will not apply to students having support from the Disability & Dyslexia Service).

Academic support is available to you. See http://www.worcester.ac.uk/studyskills/

There is also a Writer in Residence who is available to support student with their writing skills. See http://www.worcester.ac.uk/your-home/11932.html

International Students can also contact the Language Centre for appointments on a 1-1 basis. See link http://www.worcester.ac.uk/your-home/language-support.html

Q: Why is it important to reference?A: It is important that work you submit is entirely your own. This is why you must clearly identify all sources, including the internet, and communicate your thoughts in your own words/diagrams/images rather than reproducing the material of others. Failure to do so may lead to an allegation of cheating. The use of online collaborative encyclopædias such as Wikipedia is not acceptable.

Student Responsibilities:

Please refer to the link below to the University Student Charter which underpins this section:http://www.worcester.ac.uk/registryservices/documents/StudentCharter.pdf

Q: Why is it important to attend ALL sessions for this module?A: Attendance and participation are essential elements of ‘being a student’ and there is a very high correlation between high levels of participation and achievement, consequently, the following requirements operate.

You are expected to attend and participate in every session. An attendance register will be taken at each session If you cannot attend for any genuine reason (e.g. illness) you are expected to e-mail

the module leader Persistent non-attendance will require an explanation, in person, initially with the

module leader.

Q: What will I be expected to do for this module?A: In addition to the formal contact hours you will be expected to engage in approximately seven hours of independent study each week for this module. This is an essential part of your degree. In this module this will typically involve:

Reading for lectures, case study work, reading for seminars, or other activities set by the tutors

You must do any pre-set work for seminars – if you do not do this you may be excluded from the seminar which will then count as a non-attendance.

You should include time to produce your assignments including - planning, drafting, consulting with your tutors or other students (if a group assignment), writing-up/production, confirming sources and references (to avoid any possibility of plagiarism), checking and finalising your work for submission.

It is essential, therefore, that you plan time in your weekly schedule for independent academic study and assignment preparation.

Q: Why is it important that I hand my work in on time?A: It is essential that you submit your work, in order to be able to pass the module. Work which is submitted late will be subject to grade penalties:

Late but within 5 days of the due date - the grade will be capped at the minimum pass grade (unless a claim of mitigating circumstances is made and upheld).

Later than 5 days but within 14 days of the due date - work will not be marked unless a claim of mitigating circumstances is made and upheld.

Q: How do I get advice about my studies, choices, my personal development? Each student is allocated an academic tutor who knows the subject area. In the first year at undergraduate level, it will be with a tutor who teaches in the first year to ensure they are familiar with the issues you might be encountering. It is very important that you keep in touch with them during your time at University as they see your overall progress across modules, years and they will write your reference. If you need support to enhance your personal skills, your communications abilities, and general development, do seek their support. They will contact you too and reminders will be sent out but only you know when you need some guidance at a particular time.

Module Organisation & Management Issues:

Q: How do I contact the module tutors?A: E mail the module leader /named person on module outline document rather than individual tutors directly. Provided you have emailed from your university address you should expect to receive a reply within 3 working days. If this is not the case, please email wbs@worc.ac.uk to chase your enquiry.

Q: How can I communicate my views about the module?A: Module tutors will welcome your comments throughout the module. You will also be asked to complete a module feedback sheets for each module . Students also now have the opportunity to provide feedback on their whole experience across modules and the entire university in the University Student Survey (for first, second and Masters level students). Final year undergraduates complete the National Student Satisfaction Survey (NSS) which produces a league table of your course compared to most other Universities across the United Kingdom. The results of these will influence how the module is run and suggestions, as well as praise, are always welcomed. Your tutors will tell you at the start of the module how feedback from a previous occurrence (if there was one) has influenced the current delivery. You can also access fuller details on Blackboard in the folder marked ‘‘Tutor Responses to Your Module Evaluation Questionnaires’. There will also be a Course Management Committee meeting each semester including student representatives, teaching staff, and Library Services advisers. The purpose of the meeting is to discuss issues related to the course and receive comments from students. The minutes are posted on Blackboard.

Q: Where can I find Student Handbooks?A: The most useful handbook is your Course Handbook which is available on Blackboard. Other handbooks which you may find useful include:

The University Student Handbook (via SOLE) The Overseas Exchange Handbook (via SOLE) The New Student Guide (via SOLE)