KUNGLIGA TEKNISKA HÖGSKOLAN

ROYAL INSTITUTE OF TECHNOLOGY

 

MASTER OF SCIENCE IN INFORMATION AND COMMUNICATION SYSTEMS SECURITY

80 CREDITS

Degree: 'Master of Science in Information Technology with specialisation in Information and Communication Systems Security'. ('Teknologie Magister i informationsteknik med inriktning mot informations- och kommunikationssäkerhet')

Description: ‘After completing this programme, students should possess the knowledge, skills and attitude necessary to develop, plan, manage and perform, in a professional manner, necessary activities in the field of information and communication security in the public as well as the private sectors. Students will acquire a solid foundation for further development in the information and communication security field and for the extension of their own competence.’

COURSES

Introduction to Information Security and its Environment

10 credits

Course description

1. •A holistic approach to information and computer security 
   

2. •Studying concepts and terminology commonly used in the area of IT security, to be unimpeded when reading articles written by professionals and researchers in the area.  Critically analysing IT environments, identifying possible vulnerabilities and suggesting effective protective measures such as would alleviate those vulnerabilities.
   
   

Course topics

1. •General Systems Theory
   

2. •Cybernetics and Control Systems
   

3. •Living Systems Theory
   

4. •Introduction to information security (attacks/services/CIA/Threats/DAC-MAC)
   

5. •Security Models and Policies (La PaDula / BIBA / Clark-Wilson)
   

6. •Cryptography overview (Classical /  Modern / Cryptanalysis)
   

7. •Security Architectures, Identification, authentication, access control. 
   

8. •Malicious Software (Viruses, worms, trojan horses, Covert channels)
   

9. •Program Security 
   

10. •Security Tools 
    

11. •Assurance 
    

12. •Law and ethics 
    

13. •Privacy and Privacy Enhancement Tools
    
    

Books

1. •Schoderbek, Schoderbek, Kefelas: Management Systems. Conceptual Considerations 
   

2. •Matt Bishop: Introduction to Computer Security 
   
   

Projects

1. •System Holistic Approach: Application of Systems Theories to create a security policy for the Oregon University System.
   

2. •System Holistic Approach: Ethics in IT Security (nominated for best student project)
   

3. •Testing of security tools: Key loggers, Trojans, Nmap, Nessus, Dsniff, Ettercap, Ethereal, tcpdump, Snort, ...
   

4. •Exploiting vulnerabilities of the Microsoft Windows Operating System: RPC, WINS, IIS exploits.  Utility usage: Netcat, nmap, tcpview, pskill, ntscan
   
   

Grade: 5

Advanced Internetworking

6 credits

Course description

1. •Deeper understanding of internetworking and routing protocols
   

2. •Design, operation, implementation and analysis of networking protocols
   
   

Course topics

1. •Bridging: Learning / Spanning Tree / Virtual LAN’s
   

2. •Internetworking protocols: IP / IPX / Appletalk / CLNP / DECNET / IPv6
   

3. •Intradomain Routing Protocols: RIP / OSPF / IS-IS
   

4. •Network Layer Multicast (IGMP / DVMRP / PIM-SIM /Simple Multicast
   
   

Books

1. •Radia Perlman: Interconnections: Bridges, Routers, Switches, and Internetworking Protocols
   
   

Projects

1. •ISP project: setting up of services necessary for running an ISP infrastructure:
   

2. •DNS servers (BIND), HTTP web server (ISC DHCP), FTP server (VSFTPD), SIP VoIP proxy server (Asterisk), OSPF Dynamic Inter-domain Routing (Zebra, Quagga).  
   
   

Grade: 5

Introduction to Cryptography

5 credits

Course description

An advanced course about symmetric and asymmetric cryptography.  

1. •Mathematical foundations for cryptography 
   

2. •Symmetric and asymmetric cryptosystems
   
   

Course topics

1. •Classical Cryptography
   

2. •Substitution & Transposition 
   

3. •Statistical analysis (Index of coincidence / Entropy)
   

4. •Stream Ciphers
   

5. •LFSR / RC4 / A5 / Self-synchronisation
   

6. •Block Ciphers
   

7. •Feistel Cipher / Key generation / Flaws
   

8. •DES / AES
   

9. •Operational Modes (CBC / EBC / CTR / ...)
   

10. •Public Key Cryptography
    

11. •RSA / El-Gamal / Diffie Hellman / Elliptic Curve
    

12. •Randomness (pseudo randomness, real randomness tests) 
    

13. •chi square, Frequency testing, Gap & run, Correlation
    

14. •Hashing (SHA-1 / MD5 / Collisions / birthday paradox)
    

15. •Authentication (Smartcard chall.resp. / NT Auth. / Unix Auth.)
    
    

Books

1. •Bruce Schneier: Applied Cryptography 
   
   

Projects

1. •Cryptanalysis of a simple substitution cipher: Frequency analysis, Index of Coincidence, Monograph statistics
   

2. •Cryptanalysis of the Mexican Army Cipher
   

3. •Analysis of 2 classic cipher machines (Enigma, Geheimschreiber) and 2 modern cipher systems (AES, Blowfish)
   

4. •Randomness: chi square, Frequency testing, Gap & run, Correlation
   
   

Grade: 5

Network Security

5 credits

Course description

An advanced course on security mechanisms in distributed information systems.  The goals of the course are to familiarize the students with:  

1. •secure communication over insecure networks 
   

2. •different technologies for authentication in distributed systems 
   
   

Course topics

1. •Digital signatures 
   

2. •Public-Key Infrastructure (PKI) and Trusted Third Party (TTP) 
   

3. •Message authentication 
   

4. •Network authentication (Kerberos) 
   

5. •Email security 
   

6. •VPN technology (IPSec) 
   

7. •WWW security (SSL/TLS/SET) 
   

8. •Security in Web services
   
   

Books

1. •Scott Oaks: Java Security  
   

2. •William Stallings: Network Security Essentials 
   
   

Projects

1. •Implementation of the Diffie-Hellman key exchange protocol in Java.
   
   

Grade: 5

Security for Java Environment and Electronic Commerce

4 credits

Course description

Advanced, high specialization course in java security, with special emphasis on security for electronic commerce.  

Course topics

1. •Security technologies in Java development/runtime platform 
   

2. •Security protocols and architectures for Java applications 
   

3. •Secure Electronic Transactions (SET) protocol and EC extensions 
   

4. •Smart cards technologies and applications for security and electronic commerce 
   
   

Books 

1. •Scott Oaks : Java Security 
   

2. •Jonathan Knudsen : Java Cryptography 
   
   

Projects

1. •Smart Card Identification: Design and implementation of a personal identity verification system based on Java smart cards. The system consists of a Java smart card applet for storing identity information (coded with the Java Card development kit) and a Java application, with a user interface, for verifying this information.
   
   

Grade: 5

Security in Mobile/Wireless Networks

4 credits

Course description

1. •Comprehensive overview of all relevant aspects of security in mobile and wireless networks.  
   

2. •Introduction to new, advanced research topics. 
   
   

Course topics

1. •Introduction to wireless networks security 
   

2. •Analysis of threats and application requirements 
   

3. •Wireless networks security components
   

4. •Security services in wireless and mobile networks: authentication, authorization, data confidentiality, data integrity and access control 
   

5. •Security infrastructure for wireless mobile networks: keys and certificate management 
   

6. •Secure group applications 
   

7. •Security of mobile code
   
   

Books 

1. •Jon Edney, William A. Arbaugh: Real 802.11 Security - Wi-Fi Protected Access and 802.11i 
   
   

Projects

1. •Wireless LAN traffic analysis, cracking WEP encryption.
   

2. •Captive Portals: Installation and configuration of the captive portal NoCatAuth to provide authentication to wireless networks.
   
   
   

Grade: 5

Software Engineering and Security Architecture

5 credits

Course description

This course focuses on methods, modelling, design, threats and vulnerabilities of software security solutions, Common Criteria/ITSEC, software security and some of their pitfalls (such as buffer overflow and race conditions), and the role of security personnel in project teams.

Course topics

1. •Introduction to software security, and the role of security personnel in project teams 
   

2. •Overview of software systems engineering and architecture principles for software security 
   

3. •Overview of technology selection such as programming languages, operating systems and authentication 
   

4. •System security analysis, attack trees and source-level security auditing tools 
   

5. •Buffer overflow, race conditions and other common threats for software solutions 
   

6. •Problems of randomness and determinism
   

7. •Common Criteria guest lectures:
   

8. ๏Mats Ohlin: FMV Civil government agency, boosting overall capability of total defence organisation
   

9. ๏Trust2You Consultant: Common Criteria specialist
   

10. ๏Swedac: SWEDAC is the Swedish national accreditation body for CC
    

11. ๏@sec: Information security provider, specialised in Common Criteria (Structure ST / PP)
    

12. ๏CSEC: Swedish Certification Body for IT Security
    
    

Books 

1. •John Viega, Gary McGraw: Building Secure Software - how to avoid security problems, 
   
   

Projects

1. •Common Criteria - Evaluation of a Protection Profile: Mobile Phone Digital Rights Management Protection Profile.  How threats are countered by objectives, how objectives are fulfilled by security requirements.
   

2. •Common Criteria: Practical software evaluation of the SnipSnap application
   

3. •Web Server C source code audit with Rough Auditing Tool for Security (RATS)
   
   
   

Grade: 4

Legal Aspects of Information Security

5 credits

Course description

An advanced course on the legal aspects involved in the work of information security professionals.  The goals of the course are to familiarize the students with: the laws and regulations relevant for information security professionals comprising such concepts as privacy, freedom of information and intellectual property rights, privacy, intellectual property and digital rights.

Course topics

1. •Introduction to law in a digital environment 
   

2. •Freedom of information and privacy protection 
   

3. •E-government 
   

4. •Intellectual property rights on the Internet 
   

5. •Intellectual property law and ownership in employment relationships 
   

6. •Designing a legal interface for contracting on the Internet 
   

7. •E-procurement 
   

8. •Electronic signatures in a legal context 
   

9. •Dispute resolution on the Internet 
   

10. •Criminal law in an internet environment
    
    

Books 

1. •Cecilia Magnusson Sjöberg (Ed.): IT Law for IT Professionals: an introduction 
   
   

Projects

1. •Pre-contract, negotiation, and contract agreement of IT contracts
   
   

Grade: 3

Security Management

10 credits

Course description

Organisational and managerial aspects of information security and operative risk, such as governance, risk and security management, and criminological and sociological aspects of IS/IT security in organisations.

Course topics

1. •Corporate and IT governance 
   

2. •Operative risk 
   

3. •Risk tolerance and risk appetite 
   

4. •Risk analysis and vulnerability assessment 
   

5. •Security standards and framework (ITIL, ISO17799, COBIT, OCTAVE)
   

6. •Cost/benefit analysis 
   

7. •Acceptance Criteria 
   

8. •Organisational behaviour
   

9. ๏Actions and attitudes that people and groups exhibit in Organization
   

10. ๏Ethical considerations
    

11. ๏Motivation (MBO / Employee involvement / education / ...)
    

12. ๏Decision Making
    

13. ๏Leadership
    
    

Books 

1. •Alberts, Christopher et al: Managing Information Security Risks 
   

2. •Stephen P. Robbins: Essentials of Organizational Behaviour 
   
   

Projects

I was chosen the ‘security director’ and leaded a group of 10 students working on the

following projects:

1. •Managed Security Services
   

2. ๏Threats to Ericsson’s core business interests
   

3. ๏Services offered by MSSP’s 
   

4. ๏Advantages & Disadvantages of MSS
   

5. ๏MSS Procurement details
   

6. ๏Implications and side effects with procuring MSS
   

7. •A Qualitative Risk Analysis of the Business Area of Managed Security Services
   

8. ๏Identification of critical resources
   

9. ๏Identification of Value drivers and KPI’s
   

10. ๏Risk Analysis
    

11. •Identification and creation of risk profiles
    

12. ๏Risk prioritisation and impact analysis
    

13. ๏Mitigation plan and strategy
    
    

Grade: 5

Value Based Risk Management

5 credits

Course description

This advanced course in IS/IT Risk Management focuses on the need of a shareholder

perspective in order to cost-effectively secure shareholder value against IS/IT perils. The

course focuses particularly on risk management in outsourcing and offshoring.

Course topics

1. •Introduction to the concept of Shareholder Value
   

2. •Overview of internal methods for promoting shareholder value
   

3. •Enterprise Security Architecture
   

4. •Outsourcing
   

5. •Offshoring
   

6. •Guest Lectures:
   

7. ๏Kim Thomas, PriceWaterHouseCoopers: Outsourcing – a risk and security perspective
   

8. ๏Jan Persson, SEB: Security Strategies – in an offshored business model
   

9. ๏Electrolux
   
   

Books 

1. •Sherwood et al: Enterprise Security Architecture – A Business Driven Approach
   

2. •C. Magnusson, the Confederation of Swedish Enterprise: “India and China – from an Information Security Perspective”
   
   

Projects

I was the project leader for the course assignment:

1. •Business Driven Security Architecture
   

2. ๏Goal: Deliver a project proposal for a business driven security architecture. The assignment was based on an ongoing project to offshore a Fortune 100 company’s IT operations to an offshore supplier in Bangalore, India. 
   

3. ๏Problem: The company, heavily dependent on IT, was in urgent need of a security architecture to be able to communicate their businesses security requirements to their offshore partner.
   

4. ๏Tasks:
   

5. ‣Develop a business driven security architecture
   

6. ‣Present the different layers of the architecture
   

7. ‣Determine the security services that the supplier should provide
   

8. ‣Determine the type and strength of security mechanisms
   
   

Grade: 5

Research Methodology and Scientific Writing

2 credits

Course topics

1. •Principles of science and research
   

2. •Thesis structure, format and report writing
   

3. •Problem definition
   

4. •Common thesis types
   

5. •Four levels of method and choosing a research method
   

6. •Finding and using literature
   
   

Grade: 4

Master Thesis

20 credits

Title: “Corporate Governance: From COSO-ERM to ISO 27001”

Abstract:

Following several high profile business collapses such as Enron and WorldCom, and consequently emerging compliance legislations such as the Sarbanes-Oxley Act, there has been a growing pressure on organizations to enhance the transparency of their internal control and financial reports, and the responsibilities of senior management have severely increased. This situation has led to a better understanding of the importance of - previously underestimated - corporate governance.

To facilitate the complicated issue of implementing corporate governance and closely related topics such as IT governance, IT security management and IT services management, a number of standards, frameworks and best practices have been created by international bodies. While these standards and frameworks provide guidance for their solo implementation, integrating them becomes a challenge since there is a lack of information when it comes to their collaborative use. This situation causes confusion and difficulties in most companies where several of these standards have to be in place together.

This master thesis investigates the problem by comparing and identifying the gaps and overlaps between COSO-ERM, ISO 20000, ISO 27001 and the Security Architecture Model. It then analyzes the COBIT framework as a potential facilitator for the integration, and discusses the possibilities of using it.