MSc in Information Security

Submitted on May 19, 2009, 7:52 p.m.

Whew – well after a tough few months I’ve finally completed the coursework towards my masters degree in Information Security - taught by the Information Security Group (ISG) at Royal Holloway,  (via the University of London External System). The online syllabus is available from the external system and the ISG also provides an overview of the programme here. In addition to the syllabus and ISG’s introduction - I thought that a personal summary might be useful for those considering the programme.

As per the syllabus – there are four compulsory modules, two optional modules and a final project. A module is really a course, composed of roughly ten units, and lasts the full academic year – from October to the final exam in May.  Here’s a description of the compulsory modules (accurate as of 2008/09 academic year) along with my two chosen optional modules.

IC01 Security Management This course addresses the major themes of security management, including people, processes and technology with particular emphasis on the role of policy in helping to shape an organisation’s security management strategy. The ISO 27000 series of standards (ISO 27001 and 27002 in particular) are covered in detail. COBIT, ITIL, ISF SOGP along with the DPA, RIPA, and relevant EU directives are examined. So too is the impact of industry specific regulations such as Sarbanes Oxley, Turnbull, Basel II, and HIPAA. Principles of risk assessment (quantitative/qualitative), compliance, audit, and management including excellent lectures from industry leaders help to round out what is probably the most important message of the course; namely the importance of creating organisational awareness and a culture of information security that includes all aspects of the business (and not just the technology). Some of the material on the course was a little dated but relevant nevertheless.  A ‘must read’ companion to this course is Bruce Schneier’s ‘Secrets and Lies.’

IC02 An Introduction to Cryptography and Security Mechanisms This was a really great course in cryptography and security mechanisms. Pitched at just the right level for non-maths graduates the course explains the roles of all the major cryptographic primitives, including symmetric key cryptography (block and stream ciphers), hashes, message authentication codes, asymmetric (public) key cryptography and digital signatures. Historical algorithms along with well known algorithms like DES, AES, RSA, Diffie-Hellman and others are explained in detail (including worked examples of RSA modulus, public and private key calculations). The use of these primitives as mechanisms for providing higher level security services like data integrity, data origin authentication, entity authentication (unilateral and mutual authentication protocols) and non-repudiation is also explained in detail. If you can get a copy – you really should ready Stephen Levy’s book ‘Crypto - Secrecy and Privacy in the New Code War’ for a brilliant side-by-side narrative of everything that happened in the crypto world from 1975 onwards. It puts the course into perspective and explains exactly what was happening from the 70s to the 90s in the struggle between governments attempting to regulate crypto, and the commercial interests of the private sector. Simon Singh’s ‘The Code Book’ is also another great companion read.

IC03 Network Security Also a great course on the fundamentals of network communications security including ISO 7498-2, as well as detailed analysis of network, transport, and application level security protocols (IPSec, SSL/TLS, SSH, Kerberos etc.) Other unit subjects included biometrics, email security, wireless networking, firewalls, GSM/UMTS security and an introduction to intrusion detection systems (IDS). One of the texts for this course is Douglas Comer’s brilliant book - 'Computer Networks and Internets (5th Edition)'.

IC04 Computer Security A bit like IC02 above – there was some important history in this course in terms of the evolution of computer security, operating systems and formal security models including Bell Lapadula, Biba, Chinese Wall, and Clark-Wilson. For me at least – a real eye opener and it filled in a lot of important gaps – especially in terms of access control and some of the things I’d previously worked on in the areas of authorisation and workflow. Units on security in Pentium architecture, Unix/Linux, IBM z/OS and Windows helped to round off theory with real world and practical examples of applied computer security.

OPT5 Secure Electronic Commerce and Other Applications I’d assumed (which turned out to be partially correct) that this course would be close to my comfort zone given my background in Web and e-commerce development. The course was ok – but I think could be structured better. It’s a pretty large subject (especially the ‘other applications’). The course’s primary objective is to link security specific methodologies to the traditional software development lifecycle as well as emphasise the different security approaches that might be required depending on the context of the application. Information flow analysis, threat modelling and application level risk assessment are covered in the opening units. The TETRA system is used as an initial case study, followed by units on Web application security, Web services security and an excellent unit on identity management. The final units introduce smart cards and the EMV standard. Lots of help from IC02 in this module as secure protocols are described in several units.

OPT12 Smart Cards/Tokens Security and Applications This course was new to the distance learning programme this year (although taught at the ISG for several years). The accompanying text – ‘Smart Cards, Tokens, Security and Applications’ edited by two RHUL faculty members, Keith Mayes and Konstantinos Markantonakis – is a tour de force on all things in the smart card world. I’ll never look at my ‘chip and pin’ credit card the same way again. A really great course, benefiting hugely from being fresh and up-to-date. Topics included smart card production, smart card development, smart card for mobile communications (GMS/UMTS), banking and finance (EMV), RFID and contactless smart cards, smart cards in video broadcasting (DVB), an introduction to trusted platform modules (TCG/TPM), the Common Criteria (ISO 15408) for evaluation assurance, ID cards, e-passports and a fascinating unit on smart card attacks and countermeasures from Jacques Fournier at Gemalto.  

In Summary Looking back on the last two years, there were times when I wasn’t entirely sure how it was all going to fit together. With the benefit of hindsight I can clearly see the aims of the programme, and how the ISG has attempted to strike a balance between history, fundamentals, and applied techniques in information security. The ISG has also put a lot of work into creating the distance learning version of this degree. They’ve experimented with multimedia and an online format which for the most part works well (although I still lean towards printed material and my trusty highlighter). Some of the material however (in particular a couple of the lectures in IC01) is starting to show its age and could do with a refresh – or at the least with a yearly update to the introduction for each module. The course has totally changed the way I view the ‘information age’,  information security, and privacy (having now taken the ‘red pill’). I’m extremely glad I enrolled and looking forward to putting what I’ve learned into practise on future projects. Also looking forward to taking my time and working on my final project at a more relaxed pace over the next year or so.

To be continued…