...ITT Technical Institute IT255 Introduction to Information Systems Security Onsite Course SYLLABUS Credit hours: 4 Contact/Instructional hours: 50 (30 Theory Hours, 20 Lab Hours) Prerequisite(s) and/or Corequisite(s): Prerequisites: IT220 Network Standards and Protocols, IT221 Microsoft Network Operating System I, IT250 Linux Operating System Course Description: This course provides an overview of security challenges and strategies of counter measures in the information systems environment. Topics include definition of terms, concepts, elements, and goals incorporating industry standards and practices with a focus on availability, vulnerability, integrity and confidentiality aspects of information systems. Introduction to Information Systems Security Syllabus Where Does This Course Belong? This course is required for the Bachelor of Science in Information Systems Security program. This program covers the following core areas: Foundational Courses Technical Courses BSISS Project The following diagram demonstrates how this course fits in the program: IS427 Information Systems Security Capstone Project 400 Level IS404 Access Control, Authentication & KPI IS411 Security Policies & Implementation Issues IS415 System Forensics Investigation & Response IS416 Securing Windows Platforms & Applications IS418 Securing Linux Platforms & Applications IS421 Legal & Security Issues IS423 Securing Windows Platforms & Applications ...
Words: 4114 - Pages: 17
...2. Cryptography: Overview An overview of the main goals behind using cryptography will be discussed in this section along with the common terms used in this field. Cryptography is usually referred to as "the study of secret", while nowadays is most attached to the definition of encryption. Encryption is the process of converting plain text "unhidden" to a cryptic text "hidden" to secure it against data thieves. This process has another part where cryptic text needs to be decrypted on the other end to be understood. Fig.1 shows the simple flow of commonly used encryption algorithms. Fig.1 Encryption-Decryption Flow As defined in RFC 2828 [RFC2828], cryptographic system is "a set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context." This definition defines the whole mechanism that provides the necessary level of security comprised of network protocols and data encryption algorithms. 2.1 Cryptography Goals This section explains the five main goals behind using Cryptography. Every security system must provide a bundle of security functions that can assure the secrecy of the system. These functions are usually referred to as the goals of the security system. These goals can be listed under the following five main categories[Earle2005]: Authentication: This means that before sending and receiving data using the system, the receiver and sender identity should be verified...
Words: 6825 - Pages: 28
...Answer the following questions a) What is the basic concept of interest? b) How is interest usually expressed? (In terms of the principal) Interested is usually expressed as a percent on the principal. c) What does the interest rate multiply on for simple interest? A 30-year loan for $100,000 with a rate of 6%. The monthly payment would be $599.56 for both the standard and simple interest mortgages. The interest due is calculated differently, however. On the standard mortgage, the 6% is divided by 12, converting it to a monthly rate of .5%. The monthly rate is multiplied by the loan balance at the end of the preceding month to obtain the interest due for the month. In the first month, it is $500. d) What does the interest rate multiply on for compound interest? It multiplies interest* total amount What is the formula for simple interest? I=P *r* t e) Example below f) What is the formula for compound interest? P is the principal (the initial amount you borrow or deposit) r is the annual rate of interest (percentage) n is the number of years the amount is deposited or borrowed for. A is the amount of money accumulated after n years, including interest. When the interest is compounded once a year: A=P(1+r)n*t Also you can use compound interest like this Annually = P × (1 + r) = (annual compounding) Quarterly = P (1 + r/4)4 = (quarterly compounding) Monthly = P (1 + r/12)12 = (monthly compounding) Given the following...
Words: 367 - Pages: 2
...1. Data Encryption Standard (DES): A predominant algorithm for the encryption of electronic data. It was influential in the advancement of modern cryptography in the academic world. 2. Rivest, Shamir and Adleman (RSA) encryption algorithm: Internet encryption and authentication system that uses an algorithm. It is most commonly used encryption and authentication algorithm used. 3. Triple DES: A block cipher, which applies the data encryption standard cipher algorithm three times to each data block. 4. Diffie-Hellman key exchange: A specific method of exchanging cryptographic keys. It allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. 5. International Data Encryption Algorithm (IDEA): Uses a block cipher with a 128-bit key, and is generally considered to be very secure. It is known as the best public known algorithm. 6. El Gamal encryption algorithm: An asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman exchange. It is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. 7. Carlisle Adams and Stafford Taveres (CAST) algorithm: This is a substitution-permutation algorithm similar to DES. It was designed with a public criteria. 8. Elliptic curve cryptography (ECC): A public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic...
Words: 519 - Pages: 3
...Richman Investments To: Don, IT supervisor From: XXXX,XXXXXXXXXX, IT Intern I was tasked with drafting a report on the Richman Investments “Internal Use Only” data classification standard. This report will address which IT Infrastructure domains are affected by the standard and in addition how they are affected. There are seven layers (domains) in the IT Infrastructure that are affected by this; however I will mainly focus on three. User Domain is the first layer in the IT Infrastructure and is the weakest link in an IT Infrastructure. This is where you will encounter your Risks, Threats and Vulnerabilities. But you can also mitigate most of the common User Security risks. Here, the employees can access systems, applications and data based on their access rights. This is where one will find an Acceptable Use Policy (AUP). The AUP defines what every system user is allowed to do with company owned systems. Workstation Domain is the second layer in the IT Infrastructure. This is where most users connect to the IT Infrastructure. Keep in mind, a workstation can be either a centralized desktop computer or a laptop computer or any device utilized to connect onto the network. The users will initially access systems, application and or data. However, in order to protect the systems, workstations require additional layers of security such as; logon IDs and passwords. LAN Domain is the third layer in the IT Infrastructure. Your LAN (Local Area Network) allows for computers...
Words: 374 - Pages: 2
...Internet DMZ Equipment Policy 1.0 Purpose The purpose of this policy is to define standards to be met by all equipment owned and/or operated by Richman Investments located outside Richman Investment's corporate Internet firewalls. These standards are designed to minimize the potential exposure to Richman Investment from the loss of sensitive or company confidential data, intellectual property, damage to public image etc., which may follow from unauthorized use of Richman Investment resources. Devices that are Internet facing and outside the Richman Investment firewall are considered part of the "de-militarized zone" (DMZ) and are subject to this policy. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls. The policy defines the following standards: * Ownership responsibility * Secure configuration requirements * Operational requirements * Change control requirement 2.0 Scope All equipment or devices deployed in a DMZ owned and/or operated by Richman Investment (including hosts, routers, switches, etc.) and/or registered in any Domain Name System (DNS) domain owned by Richman Investment, must follow this policy. This policy also covers any host device outsourced or hosted at external/third-party service providers, if that equipment resides in the "RichmanInvestment.com" domain or appears to be owned by Richman Investment. All new...
Words: 1219 - Pages: 5
...Multi-Layered Security Outline To: Richman Investments Senior Management Outline includes: Security solutions for each of the seven domains. User Domain: This is where the first layer of defense starts for a layered security strategy. We will conduct security awareness training, restrict access for users to specific systems and programs, create an acceptable use policy, and track and monitor employee behaviors. Workstation Domain: Start by creating strong passwords to protect workstation access, then enable antivirus protections, and mandate security awareness training to all employees. This domain is almost as vulnerable as the user domain and also needs constant monitoring. LAN Domain: To prevent unauthorized access we can physically secure wiring closets and data centers, implement encryption protection, define strong access control policies and strong second-level authentications. LAN-to-WAN Domain: Disable ping, probing and port scanning, apply strict security monitoring controls, and update devices with security fixes and software patches right away are excellent measures to take. WAN Domain: Use encryption and VPN tunnels for end-to-end secure IP communications, and scan all e-mail attachments for type, antivirus, and malicious software. Back up and store data in off-site data vaults. Remote Access Domain: Establish user ID and password policies requiring periodic changes, set automatic blocking for attempted logon retries, and encrypt all data within the...
Words: 257 - Pages: 2
...TO: FROM: DATE: SUBJECT:Unit 5 Assignment 1: Testing and Monitoring Security Controls REFERENCE: Testing and Monitoring Security Controls (IT255.U5.TS1) How Grade: One hundred points total. See each section for specific points. Assignment Requirements Part 1:Identify at least two types of security events and baseline anomalies that might indicate suspicious activity. Explain why they might indicate suspicious activity.(Forty points. Twenty points for each event.) # | Security Event & Baseline Anomaly That Might Indicate Suspicious Activity | Reason Why It May Indicate Suspicious Activity | 1. | Authentication Failures | Unauthorized access attempts | 2. | Network Abuses | Employees are downloading unauthorized material. | 3. | | | 4. | | | 5. | | | 6. | | | Part 2: Given a list of end-user policy violations and security breaches, select three breaches and consider best options for monitoring and controlling each incident. Identify the methods to mitigate risk and minimize exposure to threats and vulnerabilities. (Sixty points. Twenty points for each breach.) # | Policy Violations & Security Breaches | Best Option to Monitor Incident | Security Method (i.e., Control) to Mitigate Risk | 1. | A user made unauthorized use of network resources by attacking network entities. | Monitor the logs | Fire the user | 2. | Open network drive shares allow storage privileges...
Words: 295 - Pages: 2
...Part I The following outline presents the fundamental solutions for the safety of data and information that belongs to Richman Investments. As part of the general security plan of the organization the IT department puts together a proposal to provide multi-layered security strategies that can be applied at every level of the IT structure. The plan will lay out the importance of improving and safeguarding the levels of each domain and the process of protecting the information of the organization. User Domain At Richman Investments the personnel is accountable for the appropriate use of IT assets. Therefore, it is in the best interest of the organization to ensure employees handle security procedures with integrity. It is essential to create a strong AUP (Acceptable Use Policy) procedure and as part of the process, require employees sign an agreement to guarantee they understand and conform to implemented rules and regulations. In addition, the company will conduct security awareness training, annual security exercises, notices about securing information, and constant reminders security is everyone’s responsibility. Workstation Domain The plan to secure the workstation domain enforces a strong password policy on each workstation and also enables screen lockout protection for inactive times. Keeping all workstations with an up to date antivirus is essential. Furthermore, content filtering features will arrange access of specific domain names according to AUP definitions...
Words: 779 - Pages: 4
...Richman Investments’ Remote Access Security Standard defines required tools and practices to ensure that faculty and staff can access data from remote locations in a secure manner. Company data, which is fully defined in the Information Security Standard, can generally be grouped into three, broad categories: 1. Confidential Data: This category includes the most sensitive data (ex: Social Security numbers) and requires special protection. 2. Enterprise Data: This category also includes sensitive information (ex: business records) that must be protected. 3. Public Data: This information is generally widely disseminated and can be accessed with higher levels of security protection. Different security requirements apply to each of the categories of data. The objective of the company’s security standards is to keep company data on internal, secure systems whenever possible and apply high levels of security in the rare cases when sensitive data must be moved out of internal systems. Level 1 Minimum Computer Security Requirements: The requirements below apply to all computers that are used to access company data from remote locations. Faculty and staff who only need to meet these minimum requirements include those who only need SU “public” services. Such services include www.syr.edu and other public web sites, Myslice “self service” functions, Outlook/Exchange e-mail, and departmental Terminal Servers, among others. Terminal server is easy to use and enables all company data...
Words: 372 - Pages: 2
...IT-255 Part 1 Multi-Layer Security Outline Task at hand: Richman Investments Network Division has been handed the task of creating a general solutions outline for safety of data and information that belongs to their organization. This following outline will cover the security solutions of the seven domains that the IT infrastructure is made of. User Domain | The User Domain being the weakest link of the seven layers. This is from lack of users not aware of security policies and procedures. | To secure this link to its fullest. The employees should be trained and updated with security policies and procedures. The system should have firewall and antivirus software installed as well. | Workstation Domain | The Workstation Domain can be made up of desktops, laptops, iPods and or personal assisting tools like Smartphone’s. | The common threat to the Workstation is the unauthorized access to the system. The solution would be to enable password protection and automatic lockout during time of inactivity. | LAN Domain | LAN being a collection of computers connected to each other. The links can use several tools direct connected with a switch and wireless with a router being the most common. | Unauthorized access can tap into and work its way into workstations, data centers (servers). To put a block and set-up counter measures a Firewall and OS Security Software installed and monitored. | LAN-TO-WAN Domain | LAN-to-WAN is where the IT infrastructure links to a wide...
Words: 779 - Pages: 4
...Personal Communication Devices and Voicemail Policy 1.0 Purpose This document describes Information Security's requirements for Personal Communication Devices and Voicemail for Richmond Investments. 2.0 Scope This policy applies to any use of Personal Communication Devices and Richmond Investments Voicemail issued by Richmond Investments or used for Richmond Investments’ business. 3.0 Policy 3.1 Issuing Policy Personal Communication Devices (PCDs) will be issued only to Richmond Investments personnel with duties that require them to be in immediate and frequent contact when they are away from their normal work locations. For the purpose of this policy, PCDs are defined to include handheld wireless devices, cellular telephones and laptop wireless cards. Effective distribution of the various technological devices must be limited to persons for whom the productivity gained is appropriate in relation to the costs incurred. Handheld wireless devices may be issued, for operational efficiency, to Richmond Investments personnel who need to conduct immediate, critical Richmond Investments business. These individuals generally are at the executive and management level. In addition to verbal contact, it is necessary that they have the capability to review and have documented responses to critical issues. 3.2 Bluetooth Hands-free enabling devices, such as the Bluetooth, may be issued to authorized Richmond Investments personnel who have received approval. Care...
Words: 598 - Pages: 3
...Project part.2 Corporate security policy (7) Dear Richman Investments Senior Management – It has come to my attention that your corporate security policy for the firm is out of date and that it needs to be updated. In my time here as an intern I have reviewed the security policy and revised it to keep up with all of the technological updates going on in the internet world today. I was assigned this project and being that we have 5000 employees operating in different locations and different parts of the country; I have noticed that some of the other branches do not follow the firms’ policies as they should. Some branches operate on their own policies. I have drafted up a new and improved corporate security policy that covers emails, mobile devices, computer usage, email retention policies, passwords, etc. I hope this will help streamline our security policy across the board so that everyone is on the same page and so there is no misinterpretation of the firm employee or otherwise. RICHMAN INVESTMENTS CORPORATE SECURITY POLICY Use of Phone and Mail Systems Personal use of the telephone for long-distance and toll calls is not permitted. Employees should Practice discretion when making local personal calls and may be required to reimburse The Firm for any charges resulting from their personal use of the telephone. The mail system is reserved for business purposes only. Employees should refrain from sending or receiving personal mail at the workplace. To...
Words: 1596 - Pages: 7
...Shovels and shingles * All 12 computers will have user name and login * There will be a share on the network for important documents to be saved. None will be saved locally. This ensures better access control management * Only Management can have full access to the payroll, time sheets and customer information * Other employees get read for Time sheets and only gets write privileges for files that pertain to their job Top Ads * All 12 computers will have user name and login * There will be a share on the network for important documents to be saved. None will be saved locally. * Only Management can have full access to the payroll, time sheets and customer information * Other employees get read for Time sheets and only gets write privileges for files that pertain to their job NetSecIT * Establish active directory and GPO for all accounts, * Separate shares for each department * Read and wright only to the department that EMP resides * Read access to the Managers to the other shares that they will need to view * All phones will have a access pin and be able to use webmail, Our email server Confidential Services * Establish active directory and GPO for all accounts, * Separate shares for each department * Read and wright only to the department that EMP resides * Read access to the Managers to the other shares that they will need to view * All phones will have an access pin and be able to use webmail...
Words: 283 - Pages: 2
...Rio Hondo College: No person may use Library computer resources for any illegal or unauthorized act. Specifically, individuals may not use computing resources to violate any state or federal laws or any regulation of Rio Hondo Community College including, but not limited to, any laws and regulations governing the creation, dissemination, or possession of pornography or other illegal documents or images; the possession or use of programs, files or instructions for violating system security; and the violation of copyright law. Changing, modifying, or eliminating Library computer configurations and loading any application or program software onto the Library computers is prohibited. The availability of Internet resources will be determined by staff at Rio Hondo College Library. As of this writing, non-course-related chat or chat-like activities are NOT allowed. North Dakota EduTech Support: Under no conditions shall any user provide another person with access to or use of their account. Similarly, users shall not examine, change, or use any account but their own. No user may represent themselves as another individual or entity in electronic communication. Users shall not deliberately attempt to degrade system performance or capability. Knowledge of system or special passwords does not convey permission or privilege to use such passwords. No account shall be used to damage a system or file or remove information without authorization. Users should expect only limited privacy...
Words: 425 - Pages: 2