Security in Electronic-Business is a relatively new graduate course on the design and implementation of information security in e‑business systems. As such, the scope and structure of the course are still being worked out. We will rely on the Garfinkle book to provide the basic structure for the course, but we will expand his treatment in various ways as we work through the course. You will also be more involved in setting the structure for the course through research and presentations than would normally be the case.
Let’s begin with a word about definitions. There is little agreement about the meaning and the most appropriate usage of the terms e-business and e-commerce. You may have noted that the formal title of the course is security in e-commerce. I use the term e-business in the title of the syllabus. There is some consensus that e-business includes all aspects of business from supply chain management to customer relationship management. It is the end of end management of a business using digital means. E-commerce is more frequently used to refer to the process of buying and selling on the web. This suggests that e-commerce is one facet of e-business, and that e-business is much more than e-commerce. It is in this sense that we use the terms. Regrettably the faculty felt e-commerce was a better term than e-business for the catalog entry.
The course assumes that students are competent programmers with a solid knowledge of operating systems. Because a lot of the examples related to security involve the C language and the Unix operating system, many of the examples given will be with respect to this language and operating system. Students with limited C programming experience or minimal experience with UNIX workstations may take the course, but should anticipate spending significant additional time working to familiarize themselves with the environment during the first weeks of the course.
The course will focus on the technology, concepts, issues and principles that are important in the design and implementation of secure e‑commerce system. The course will examine technology for protecting electronic commerce. It will include discussion of basic security principles, as well as the issues, policy and standards particular to e‑commerce applications.
The course is divided into five parts:
The goals of the course are:
The required book for this course is:
This book covers most topics which I want to cover in this course. Although the book may give you basic concepts in these topics, you will find that the book does not give a lot of details in many of them. I'll provide additional reading list to you in these topics. Most of the reading materials are available in electronic form via the World Wide Web (WWW). The students are required to read the materials for each topic each week before coming to class.
There are many number of books that may be helpful. These would include:
Online resources are very useful in answering questions. Just a couple starting points would include:
There are several things that you should know before you take this course. The course requires a knowledge of Internet and Internet applications, especially the WWW. The course also requires a basic knowledge of the communication protocols used on the Internet. Basic programming skill in C and C++ or Java is strongly recommended.
Your knowledge of programming (particularly C) and a operating systems (particularly Unix) will help you in this course. One way to gauge your readiness to take this course is to answer the following questions. If you can't answer any of them, you will have a tough time with some of the concepts in this course.
The prerequisites for this course are:
· TELCOM 2821: Network Security: Covers fundamental issues and first principles of security and information assurance (confidentiality/ privacy, integrity, authentication, identification, authorization, availability, access control).
· TELCOM-2810/IS-2935: Introduction to Computer Security: This course will give you the basic concepts and overview of information security
It is recommended, although not required, that you take the following courses prior to or together with this course.
· INFSCI 2870: Web Technologies and Standards‑ highly recommended if you want to know about HTTP, HTML and CGI programming
· INFSCI 2550: Client‑ Server & Workstations ‑ highly recommend if you want TCP/IP programming skill
Your grade for the course will come from quizzes, participation, and projects. Your grades will be based on the number of points you earn out of 100 with an A awarded for 90-100, a B for 80-90, a C for 65-80 and an F for 0-65. As a general rule of thumb, the instructor views a graduate course commitment of 3 hours of homework for every hour of class time. Thus, over the term your reading and work on projects should absorb about 135 hours. Thus, a project worth 10 points anticipates you will spend 10 hours on it. Well prepared students will need less time, and students with weak backgrounds will require more. The sources of points are as follows:
You are expected to be fully aware of your responsibility to maintain a high quality of integrity in all of your work. All work must be your own, unless collaboration is specifically and explicitly permitted as in the course group project. Any unauthorized collaboration or copying will at minimum result in no credit for the affected assignment and may be subject to further action under the University Guidelines for Academic Integrity. You are expected to have read and understood these Guidelines. A document discussing these guidelines was included in your orientation materials.
If you have a disability that requires special testing accommodations or other classroom modifications, please, notify both the instructor and Disability Resources and Services by the second week of the term. You may be asked to provide documentation of your disability to determine the appropriateness of accommodations. To notify Disability Resources and Services, call 64807890 (voice or TDD) to schedule and appointment. The office is located in the William Pitt Union, Room 216.
The course outline provides a preliminary outline of the scope and sequence for the course. It is anticipated that there will be some slippage in the schedule if topics require more time than allocated. It is also anticipated that some of the topics in the course scheduled for coverage later in the term will be addressed as they come up in class discussion.
|
Lecture |
Topic |
Assignments |
|
1 |
Introduction: E‑commerce on the Internet |
WSP&C 1 |
|
2 |
Web Technology and Web Security |
WSP&C 1-2 |
|
3 |
Cryptography Basics |
WSP&C 3-4 |
|
4 |
SSL,TLS and PKI |
WSP&C 5 |
|
5 |
Biometrics and Digital Identification |
WSP&C 6-7 |
|
6 |
Privacy and Security |
WSP&C 8-11 |
|
7 |
Coding Issues |
WSP&C 12-13 |
|
8 |
Web Server Security |
WSP&C 14-15 |
|
9 |
Securing Web Applications |
WSP&C 16-18 |
|
10 |
Content Security |
WSP&C 20-22 |
|
11 |
Pornography and Privacy |
WSP&C 23-24 |
|
12 |
Digital Payments |
WSP&C 25 |
|
13 |
Intellectual Property |
WSP&C 26 |
|
14 |
Presentations |
|
1. A security implementation plan for a website. This would include all aspects of security from physical layout of facilities, selection and configuration of hardware and software, development and deployment procedures, through human resource management, intrusion detection, and contingency plans.
2. Public‑Key Infrastructures (PKI) development plan proposal. This should be a significant indication of your ability to apply your knowledge and your understanding from this course to the real world. You will be given a scenario that you are a committee of the PKI working group of your organization. Your job is to write a proposal of a plan to employ the PKI technology in your organization. The proposal should provide the following information:
· objectives
· design of Certificate Authorities (CA) structures
· the reasons you choose the structure of your choice (advantages vs. disadvantages)
· policies and functions of the CA in each level of the structure
· technologies you want to employ, for example, encryption standards, smart card standard, etc. why these technologies are needed.