GMU Logo  IST Logo


Fall 2015

PDF Version

AIT 671 -- Information System Infrastructure Lifecycle Management

Instructor:  Jay Holcomb, Adjunct Faculty, Department of Information Sciences and Technology, Volgenau School of Engineering

GMU Websitehttp://mason.gmu.edu/~jholcom9/

E-mail:  jholcom9@gmu.edu

Course: AIT 673 -- Cyber Incident Handling/Response Examines Computer Emergency Response Team (CERT), including Incident Response, Vulnerability Assessment, Incident Analysis, Malcode Analysis, Forensics and Investigations. Includes exercises in CERT operations and a final Incident Handling project.

Credits: 3

Day/Time:  Thursday, 7:20pm – 10:00pm

Where:  IN133

TextbookTextbook (Required):

Jason Luttgens, Matthew Pepe, and Kevin Mandia, Incident Response & Computer Forensics, Third Edition, McGraw-Hill Education; 3rd Edition (August 8, 2014). ISBN: 978-0071798686 
(http://www.amazon.com/Incident-Response-Computer-Forensics-Edition/dp/0071798684/)

 

 

Also available on Safari Tech Books Online, part of the E-Book Databases@Mason.
(http://proquest.safaribooksonline.com.mutex.gmu.edu/book/networking/incident-response/9780071798686?bookview=overview)

Other Resources:

Paper readings and Internet resources posted on Blackboard -- AIT 673 Course

Course Goals:

  1. Obtain basic knowledge on dealing with system security related incidents.
  2. Increase knowledge on potential defenses and counter measures against common threat vectors/vulnerabilities.
  3. Gain experience using tools and common processes in performing analysis of compromised systems and dynamic malware analysis.
Obtain current knowledge of events and tools/support kits in the subject area.

Course Expectations:

  1. Graduate education requires dedication and organization. Proper preparation is expected every week. You are expected to log into our Blackboard course each week and complete any assignments and activities on or before due dates.
  2. Students must check their GMU email messages on a daily basis for course announcements, which may include reminders, revisions, and updates.
  3. It is expected that you will familiarize yourself with and adhere to the Honor Code. (http://oai.gmu.edu/the-mason-honor-code-2/) Student members of the George Mason University community pledge not to cheatplagiarizesteal, and/or lie in matters related to academic work.
  4. It is essential to communicate any questions or problems to me promptly.

Learning Community:

This course is supported via Blackboard
(Log into http://mymason.gmu.edu, select the Courses Tab, and the course can be found in the Course List).

Each week begins on Monday and ends on Sunday.

In our learning community, we must be respectful of one another.  Please be aware that innocent remarks can be easily misconstrued. Sarcasm and humor can be easily taken out of context. When communicating, please be positive and diplomatic.

I encourage you to learn more about Netiquette. (http://networketiquette.net/index.html)

Grading policy:

Grades will be determined based on the following:


Grade Component

Weight

Current Cyber Event Paper #1

7.5%

Current Cyber Event Paper #2

7.5%

Team Paper -- User Training Pro / Cons
10%

Quiz

5%

Lab assignments (10% each)

30%

Team Project and Presentation

30%

Class Participation

10%

Total:

100%

The grading scale for this course is: 

Numeric Grade

Letter Grade

97 – 100%

A+

93 – 96%

A

90 – 92%

A-

87 – 89%

B+

83 – 86%

B

80 – 82%

B-

77 – 79%

C+

73 – 76%

C

70 – 72%

C-

60 – 69%

D

0 – 59%

F

Current Cyber Event Papers (2 @ 7.5% each = 15%):

Select a recent cyber event - research the event using open source references - then write an executive-level technical brief on the event.  Include the following as a minimum:  threat vector used, vulnerability attacked, incident response actions taken, your recommended mitigations, business impact of this event.  The length of this paper should be one page - maximum of two pages.  (One page is a single side of paper)   On a separate page include your open source references - minimum of two (2) unique sources are required.

Quiz (5%): 

A 25 question open-book multiple-choice quiz covering the key terms/topics discussed during the first seven (7) weeks of the course. 
If unable to complete the quiz within allotted time – a written make-up assignment may be completed.  (Must be completed within 2 weeks of the quiz for credit.)

Team Paper -- Case Study #2 (10%):  (Five teams of 5 people each)

Using Case Study #2 (Chapter 1, page 15) build a high-level remediation plan outline and answer four (4) incident response remediation questions.

Lab Assignments (3 – 10%): 

Three (3) labs supporting incident handling/response actions, attack vectors, and network defense options.
If unable to attend a lab – a written make-up assignment may be completed.  (Must be completed within 2 weeks of the missed lab for credit.)

Team Project and Presentation (30%):  (Five teams of 5 people each)

Incident response team -- select a fictitious critical infrastructure sector company and create a senior executive (CISO/CIO) level report, with accompanying executive briefing, highlighting why your company needs an internal CIRT/CERT team or why it should outsource the CIRT/CERT capability.
At a minimum cover what will happen when your company is hit with malicious software, or a breach, describing a potential Company incident in great detail.  Include how your recommended CIRT/CERT team will approach/engage, processes they will use, tools (software and hardware) that you expect them to have/use, timing and potential business impacts, estimated incident costs (to include potential CIRT/CERT team set-up and team O&M), team skills needed with estimated costs, and the [critical] reporting processes.
The length of the report should be less than 25 pages.  (One page is a single side of paper)   On a separate attachment include your open source references.
The report and presentation will be given during our final two sessions.

Class Participation (10%): 

Active participation in weekly lectures, labs, and team assignments.

 


Lecture Schedule (Tentative):

Week 1: Introduction to Incident Response and Handling -- CIRT/CERT Overview

Objective:  Develop an understanding of the purpose of a Computer Emergency Response Team (CERT), why an organization needs a CERT, composition of a CERT team, and the incident response life cycle.

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 2: Incident Response Team and Case Study #1

Objective: Analyze the pre-incident preparation required by an incident response team and the organization.  Identify key areas of the organization, incident response team, and corporate infrastructure needed to develop for a successful incident response capability.

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 3: Networking Security Monitoring and Indicators/Leads

Objective:  Identify the types of networking monitoring an organization may implement and explain the benefits for implementing network monitoring within an organization.  Define the value of a lead/indicator to an incident response team and follow-on value to the larger organization.

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 3 Assignment:

Week 4:  Initial Incident Detection/Facts

Objective: Explain why initial facts in a potential incident are critical and how checklists can help provide objectivity to a potential incident detection.  Identify three checklists that could assist the incident response team with objectivity regarding a potential incident detection.

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 4 Assignment:

Week 5: Enterprise Services and Case Study #2

Objective:  Identify at least five (5) enterprise network services that most organizations implement.  Explain the functions and benefits of these network services to an organization and their importance to an incident response team.

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 5 Assignment:

Week 6: Forensic Duplication and Hashing

Objective:  Identify the three primary types of forensic images an incident response team may create and differences between the three.  Explain the process used to create a forensic duplication. Describe what hashing is, why is important, and what benefits it provides to the incident response team.

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 6 Assignment:

Week 7: Report Writing and Remediation

Objective:  Explain why reporting writing is one of the most important functions of an incident response team.  Identify and analyze the eight (8) high-level steps which make-up the incident response remediation process.

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 7 Assignment:

Week 8: Live Data Collection

Objective: Explain the primary purpose for live data collection.  Identify at least five (5) best practices for establishing a good process regarding live data collection.  Compare and contrast memory collection on Microsoft Windows and Unix/Linux based systems.

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 8 Assignment:

Week 9: Analysis Methodology

Objective:  Recommend a repeatable process to follow when preparing to gather and analyze incident response related data. 

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 10: Investigating Applications (like Web Browsers/E-mail)

Objective: Explain the value of potential forensic evidence stored within user and server applications.  Describe what application data is and where it is stored.  Analyze web browser user data and the potential value of this data. 

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 10 Assignment:

Week 11: Investigating Windows Systems

Objective:  Identify the potential sources of incident response data on a Microsoft Windows operating system.  Explain the purpose and potential evidence that may be found in the following areas; NTFS/File System, Prefetch, Event logs, Scheduled tasks, and the Windows registry.

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Week 12: Investigating Mac OS X Systems

Objective:  Identify the potential sources of incident response data on an Apple MC OS X operating system.  Explain the purpose and potential evidence that may be found in the following areas; HFS+ file system, core operating system, Spotlight data, System and application logs, and Application and system configurations.

Course Goal Connection:

Required Reading:

Other Reading (Recommended):

Paper readings and Internet resources posted on Blackboard -- AIT 673

Week 12 Assignment:

Team Project Delivery/Presentation

Week 13:  Team Reports and Presentations

Week 14:  Team Reports and Presentations


Honor Code:

All work performed in this course will be subject to the GMU’s Honor Code. (http://oai.gmu.edu/the-mason-honor-code-2/)  Any violation will be reported to the honor committee.

Academic Integrity:

GMU is an Honor Code university; please see the Office for Academic Integrity (http://academicintegrity.gmu.edu/honorcode/) for a full description of the code and the honor committee process. The principle of academic integrity is taken very seriously and violations are treated gravely. What does academic integrity mean in this course? Essentially this: when you are responsible for a task, you will perform that task. When you rely on someone else’s work in an aspect of the performance of that task, you will give full credit in the proper, accepted form. Another aspect of academic integrity is the free play of ideas. Vigorous discussion and debate are encouraged in this course, with the firm expectation that all aspects of the class will be conducted with civility and respect for differing ideas, perspectives, and traditions. When in doubt (of any kind) please ask for guidance and clarification.

Office of Disability Services:

If you are a student with a disability and you need academic accommodations, please notify me and contact the Office for Disability Services [http://cte.gmu.edu/teaching/disability%20services ] (ODS) at 993-2474, http://ods.gmu.edu. All academic accommodations must be arranged through the ODS.

Mason e-mail Accounts:

Students must use their MasonLIVE email account to receive important University information, including messages related to this class. See http://masonlive.gmu.edu for more information.

Other Useful Campus Resources:

Writing Center:  A114 Robinson Hall; (703) 993-1200; http://writingcenter.gmu.edu
University Libraries “Ask a Librarian”: http://library.gmu.edu/mudge/IM/IMRef.html
Counseling And Psychological Services (CAPS): (703) 993-2380; http://caps.gmu.edu
University Policies: The University Catalog, http://catalog.gmu.edu, is the central resource for university policies affecting student, faculty, and staff conduct in university academic affairs.  Other policies are available at http://universitypolicy.gmu.edu/.  All members of the university community are responsible for knowing and following established policies.


Last Updated:  August 24, 2015