Hello Everyone!

Welcome to Eastern Michigan University, the Information Assurance Program and to IA-103.

This course provides an overview of security challenges and strategies of countermeasure in the information systems environment. Topics include definition of terms, concepts, elements, and goals incorporating industry standards and practices with a focus on availability, vulnerability, integrity and confidentiality aspects of information systems.

Please take a moment to read through the Syllabus and Course Information.  These sections of the course will give you an overview of what you are about to learn.  Please note information regarding the required book for the course.  Though the Syllabus and the Course Information differ slightly, the content of the course remains the same.  The schedule we will follow is the one found in the Course Information.   The timing we will follow per Unit is laid out by date in "Nuts & Bolts".

VERY IMPORTANT:  Please read the "Nuts & Bolts" section carefully.  It contains the schedule of when each unit of study will be available to you.  The schedule is set up in such a way so that you can pace yourself and stay on track to finish each assignment in a timely fashion.  It also contains details on assignments, exams and grading.

Lastly, please refer to the Instructor Information tab so you know how to contact me.   Online classes can be a challenge due to lack of personal interaction.  That said, I don't want to just be a faceless grader on the other end of your course.  If you have any questions, concerns or issues, PLEASE feel free to email me or stop by my office hours.

I look forward to an excellent semester with each and every one of you.

Syllabus

Instructor: Guillermo Moreno
email:  Guillermo.moreno@leonagroup.com

Office Hours: 

*** Always available via email.  

*** Discussion Board on Course Homepage checked Daily.

SCHEDULE OF DATES

- UNIT 1 :  1/9-14
- UNIT 2 :  1/15-21
- UNIT 3 :  1/22-2/4
- UNIT 4 :  2/5-11

- MIDTERM WINDOW :  2/13-17

- UNIT 5 :  2/19-25
- SPRING BREAK:  2/27-3/2
- UNIT 6 :  3/4-10
- UNIT 7 :  3/11-17
- UNIT 8 :  3/18-24
- UNIT 9 :  3/25-31
- UNIT 10: 4/1-15 (Holiday Considered)
- UNIT 11: 4/16-21 (Course Review)

- FINAL EXAM WINDOW:  4/23-27 (in accoordance with University Exam Schedule)
* Refer to the Course Information (Course Outline) for specific Reading, Labs and Assignments in each Unit

LABS
Labs are formal assignments that may take the form of articles, exercises and case studies that must be read and commented upon.   Comments are not graded for content, style or grammar.  Rather, they are graded on demonstrated effort and insight.  Labs are due on or before the last day of the Unit (see Schedule above).  Each Lab is worth 2% of your grade (with the exception of Unit 7, in which there are 2 Labs worth 1% each).

HOMEWORK ASSIGNMENTS
Homework Assignments are formal, graded work that must be submitted in the required format.   They must be submitted to the correct Dropbox on or before the last day of the Unit (see Schedule above).  Each Homework assignment is worth 2% of your grade.

MIDTERM EXAM
The midterm exam will be posted on the first day of the Window (see Schedule above) before 9:00am.   It must be completed and submitted by 11:59pm on the last day of the Window.  The Midterm is worth 30% of your grade.

FINAL EXAM
The final exam will be posted on the first day of the Window (see Schedule above) before 9:00am.   It must be completed and submitted by 11:59pm on the last day of the Window.  The Final Exam is worth 30% of your grade.

GRADING
Grades on Homework, Labs, etc. will usually be viewable in the Gradebook within a week of submission to the correct Dropbox.   If you have concerns about a grade, you may respond via the assignment (dropbox communication), email me, or stop by my office hours. 

"To establish a professional organization committed to aiding students in the pursuit of a career in the Information Assurance field. In addition, this group shall be dedicated to furthering the awareness about the Information Assurance program at Eastern Michigan University, and help guide students who are interested in that field. Aid may be defined as providing information, in various forms such as inviting guest speakers, making students aware of special events and career openings, and offering them a place to receive academic help with IA studies."

http://emu.collegiatelink.net/Community?action=getOrgHome&orgID=13740

Unit 1
The first section includes two assignments. *Lab 1 is a Case Study that you will need to provide commentary on. Homework 1 is a regular homework assignment. Make sure that your assignments are placed in the appropriate Dropbox. Assignments sent via email will NOT BE ACCEPTED. Make sure that both Lab and Homework are in a Microsoft WORD DOCUMENT. NO OTHER FORMAT WILL BE ACCEPTED.  The documents you create should be fairly concise and not difficult to create and post.

* Lab 1 commentary consists of a well-written paragraph presenting your opinion on the ethics of the case study.   Who was more at fault and were the damages awarded appropriate?   Does the fault lie with the active wrongdoer (hacker) or the passive wrongdoer (negligence).

** Please note:
If, in any assignment, you use information other than what is provided in the Section, you will be required to provide a Works Cited page. This is especially pertinent for research assignments. No credit will be given without it.  

Please keep due dates and schedules on track.

All assignments for this Section are due no later than 1/14/2012, 11:59 PM.
Reading

Kim, D., Solomon, M.G., (2011) Fundamentals of Information Systems Security

Jones and Bartlett Learning. ISBN-13:  978-0-7637-9025-7
 Chapter 1 :  Information Systems Security

Power Point: Fundamentals of Information Sistems Security

Tables 1 to 8 (Unit 1)

Lab 1.1 Case Study

In March 2010, 28 year-old Albert Gonzalez was sentenced to 20 years in federal prison for breaching security measures at several well-known retailers and stealing millions of credit card numbers, which he then resold across a variety of shadow “carding” Web sites. Using a fairly simple packet sniffer, Gonzalez was able to steal payment card transaction data in real time, which he then parked on blind servers in places such as Latvia and Ukraine—countries formerly part of the Soviet Union. Gonzalez named his activities “Operation Get Rich or Die Tryin'” and lived a lavish lifestyle by selling stolen credit card information. He was eventually tracked down by the U.S. Secret Service, which was investigating the stolen card ring. Operation Get Rich or Die Tryin' took place for more than two years and cost major retailers, such as TJX, OfficeMax, Barnes & Noble, Heartland, and Hannaford, more than $200 million in losses and recovery costs. It is the largest computer crime case ever prosecuted.

  <>
At first glance, Operation Get Rich or Die Tryin' seems to be an open-and-shut case. A hacker commits a series of cybercrimes, is caught, and is successfully prosecuted. Fault and blame are assigned to the cybercriminal, and justice is served for the corporations and the millions of people whose credit card information was compromised.  <>Unless you ask the shareholders, banking partners, and some customers of TJX, who filed a series of class-action lawsuits against the company claiming that the “high-level deficiencies” in its security practices make it at least partially responsible for the damages caused by Albert Gonzalez and his accomplices. The lawsuits point out, for example, that the packet sniffer Gonzalez attached to the TJX network went unnoticed for more than seven months. Court documents also indicate that TJX failed to notice more than 80 GB of stored data being transferred from its servers using TJX’s own high-speed network. Finally, an audit performed by TJX’s payment-card processing partners found that it was noncompliant with 9 of the 12 requirements for secure payment card transactions. TJX’s core information security policies were found to be so ineffective that the judge presiding over sentencing hearing of Gonzalez reviewed them to determine whether TJX’s damages claim against him of $171 million is valid.
 

Apart from lawsuits, TJX faced a serious backlash from customers and the media when the details of the scope of the breaches trickled out. Customers reacted angrily when they learned that nearly six weeks had passed between the discovery of the breach and its notification to the public. News organizations ran headline stories that painted a picture of TJX as a clueless and uncaring company. Consumer organizations openly warned people not to shop at TJX stores. TJX’s reputation and brand image was shattered in the wake of Operation Get Rich or Die Tryin', and only a small portion of the damage was actually Albert Gonzalez’s fault.

  <>
The real lesson of Operation Get Rich or Die Tryin' may not be the crime itself, but how a lackluster security policy was chiefly responsible for it happening in the first place.

Homework # 1