Experience-based Master in Information Security - MISEB

Short description

Information technology permeates all aspects of society and has become critical to industry, government, and individual well-being. Securing the vital services and structures and ensuring availability of trustworthy information whenever and wherever it is required has become a field of intensive interdisciplinary research, development and application in the recent years. At the same time, information security has become an area of extensive commercial activity with thousands of companies developing and marketing various services and products for information and communication technology (ICT), e.g. computer systems, communication networks, and software applications. The experience-based master in information security provides the students with complex skills within a specific area of specialization, as well as the theoretical background and attitudes necessary to succeed in this challenging yet eminently rewarding application domain.  

Area(s) of specialization

Track: Digital Forensics and Cybercrime Investigation

Criminal investigations involving computer technology is significantly growing. This applies to both new types of crime as well as traditional crimes that are now being committed by the use of new computer technology. Typical examples are the use of digital media and communication equipment in connection with drug trafficking, sexual offenses, threats and persecution, human trafficking and economic crime. The increasing use of information technology has resulted in new challenges in terms of legislation and law enforcement methods, both nationally and internationally. It is therefore important that the accrued expertise to investigate digital evidence and to prevent cybercrime can be provided on the basis of an understanding of information and communication technology, the implementation of the rule of law as well as the protection and assurance of privacy. The purpose of the digital forensics and cybercrime investigation track is to contribute to the forensic investigation of digital evidence and cybercrime by using forensically sound methods and tools that promote the rule of law and protect privacy. This specialized education is seen in a the wider context of information and cyber security in order to leverage cooperation and exchange between various stakeholders, e.g. ICT and critical infrastructure providers, cooperate-forensic investigators and incident responders, law enforcement, national security and defense.

The objectives of this track of the study program are achieved through a curricula based on courses reflecting current best practices, established standards and new developments in the field, reflecting both profound practical work experiences, development work and research activities of the teaching staff. The track is closely related to practitioners from specialized application domains, e.g. the Norwegian Police University College, as well as the academic research community at NTNU and the Norwegian Information Security laboratory (NISlab).  

Track: Corporate Forensics

The need for criminal investigations in the corporate sector is significantly growing. This applies to both new types of crime as well as traditional crimes that are now being committed by the use of new computer technology. Typical examples are the use of digital media and communication equipment in connection with data theft, mishandling of data leading to compliance issues, corporate espionage and economic crime. The increasing use of information technology has resulted in new challenges in terms of internal and external attacks on corporate values. It is therefore important that the accrued expertise to prevent cybercrime can be provided on the basis of an understanding of information and communication technology, the implementation of company policies as well as the protection and assurance of privacy. The purpose of the corporate forensics track is to contribute to the forensic investigation of digital evidence and cybercrime by using forensically sound methods and tools. This specialized education is seen in a the wider context of information and cyber security in order to leverage cooperation and exchange between various stakeholders, e.g. ICT and critical infrastructure providers, cyber security operators and incident responders, law enforcement, national security and defense.

The objectives of this track of the study program are achieved through a curricula based on courses reflecting current best practices, established standards and new developments in the field, reflecting both profound practical work experiences, development work and research activities of the teaching staff. The track is closely related to practitioners from specialized application domains, as well as the academic research community at NTNU and the Norwegian Information Security laboratory (NISlab).

Track: Cyber Operations

                                           

The increase in digitization of the society comes with a flip side of increase in illegal, malicious and unwanted/unintended use of the cyber domain (cyberattacks). As a result many organizations have seen the need to protect their assets by putting together teams to prevent, detect and handle cyber attacks. These teams (sometimes just one person) comes with many names, such as Security Operations Center (SOC), Cybersecurity Operations Center (CSOC), Computer Security Incident Response Team (CSIRT) or Computer Emergency Response Team (CERT).

Successful organizations try to control the cyber domain to their advantage, instead of passively observing and fixing technical aspects of the cyberattack. Therefore, there is an ever increasing demand for any company or organization to set aside resources to protect their interests from attacks in cyber domain. The most important resource in this respect is knowledge and it is therefore important that expertise to prevent, detect and handle cyberattack is not based on understanding of basic ICT and information security principles alone, but also knowledge about tactics and operations needed to control the cyber domain. Such knowledge is crucial for any SOC, CSIRT or similar cyber security teams.

Cyber Operations should be the science about controlling the cyber domain to the best of organizations or society, through Information management, network centric business and information warfare. The proposed track provides advanced knowledge in cyber-techniques, -tactics and -operations. Cyber-techniques will focus on technical skills needed to understand the underlying incidents, such as malware analysis. Cyber-tactics and -intelligence will focus on how to organize resources and use them to control the cyber domain and make organizations resilient to cyber attacks.

The purpose of this track is to provide knowledge on strengthening organizations resilience against cyber attacks and ability to handle them. Handling cyberattacks aims at reducing the consequences or impact of the attacks on individuals, organizations or the society in addition to the technical analysis of the underlying incident (e.g. loss of information og downtime of services). This will require focus on combining deep technical analysis with context information about what valuable assets are for individuals, organizations or the society.

The objectives of this track of the study program are achieved through a curriculum based on courses reflecting current best practice, established standards, development work and research activities of the teaching staff. A close collaboration with partners (e.g. CYFOR, NorSIS and other partners of CCIS) allows the study program to quickly adapt to new technologies, challenges and threats. This facilitates real life scenarios/cases for the students.

Duration

The experience-based master program (90 ECTS credits) is available as a part-time study program over three years. The entire program is taught in English, and the degree awarded upon completion is:

  • «Experience-Based Master in Information Security/Specialization Track». The program has three specialization tracks:
    • «Digital Forensics and Cybercrime Investigation»
    • «Corporate Forensics»
    • «Cyber Operations»

The program does not qualify the students to proceed to Ph.D. studies.

Expected learning outcomes

Knowledge
  • The candidate possesses advanced knowledge in the field of information security generally and the chosen track specifically: Digital forensics and cybercrime investigation, Corporate forensics or Cyber operations.
  • The candidate possesses thorough knowledge of the theory, best practices and methods in the field of information security generally and the chosen track specifically.
  • The candidate is capable of applying knowledge in new areas within the field of information security generally and the chosen track specifically.
  • The candidate is familiar with current state-of-the-art in the field of information security generally and the chosen track specifically.
  • The candidate possesses thorough knowledge of methodology, needed to plan and carry out application and development projects in the field of information security generally and the chosen track specifically.
Skills
  • The candidate is capable of analyzing existing theories, methods and interpretations of theories within the chosen track as well as independently analysing and solving theoretical and practical problems.
  • The candidate is capable of using independently relevant methods in fact-finding and development. These methods include literature study, critical thinking, logical reasoning and performing methodologically sound experiments together with interpreting their results.
  • The candidate is capable of performing critical analysis of different information sources and applying the results of that analysis in academic and practical reasoning, structuring and formulating theoretical and application-specific problems.
  • The candidate is capable of carrying out a plan of a specialization project under supervision.
  • The candidate is capable of completing an independent study and development project of moderate size under supervision (example: the master thesis), adhering to the current code of professional conduct and ethics in academic fieldwork.
General competence
  • The candidate is capable of analyzing professional and academic problems.
  • The candidate is capable of using knowledge and skills to carry out advanced tasks and projects.
  • The candidate is capable of imparting comprehensive independent work in the field of information security. The candidate also masters the terminology in the field of information security and his/her area of specialization.
  • The candidate is capable of communicating academic issues, analysis and conclusions both with experts in the field of information security and with the general audience.
  • The candidate emerge with greater insight and confidence in the professional role.
  • The candidate can identify and evaluate ethical dilemmas in the conducting work.
  • The candidate is capable of contributing to innovation and innovation processes.

Internationalization

The students may travel abroad to study for their master theses. The faculty has strong links to many of the leading international academic groups, educational and training facilities, as well as relevant laboratories. Students are encouraged to contact the program director to ask for advice on relevant internships and travel opportunities. The track Digital forensics and cybercrime investigation has strong links to the setup of the Nordic Computer Forensic Investigator (NCFI ) program.

Target Group

Track: Digital Forensics and Cybercrime Investigation

  • Personnel working in police service and law enforcement in the Nordic countries who have digital forensics and cybercrime investigation as their primary work task.

Track: Corporate Forensics

  • Personnel in private corporations, public services or inspectorates who deal with the investigation of ICT incidents and digital trace evidence.

Track: Cyber Operations

  • Personnel working in private, public and governmental organizations/companies who have a work tasks related to preventing, detecting and handling cyber attacks; typically, personnel from SOC, CSIRT and CERT environments.

Admission Criteria

To enter the study programme, applicants must have a relevant bachelor degree with a grade point average of at least C, and at least two years of relevant work experience.

Relevant bachelor degrees for the track Digital Forensics and Cybercrime Investigation are: bachelor degree in police studies or bachelor degree from The Norwegian Defence University College (NDUC); or bachelor degree, Cand. Mag. degree or other relevant degrees (see § 3-4 Lov om universiteter og høyskoler) in another field relevant for information security within digital forensics and cybercrime investigation.

Relevant bachelor degrees for the tracks Corporate Forensics and Cyber Operations include, but are not limited to, all bachelor degrees within the area of computing or technology in general.

Relevant work experience for the track Digital Forensics and Cybercrime Investigation is at least two years of practical work experience within the area of digital forensics and cybercrime investigation.

Relevant work experience for the tracks Corporate Forensics and Cyber Operations is at least two years of work experience within information security. This work experience must include practical work with computers and networks.

In addition, some of the courses in the Digital Forensics and Cybercrime Investigation track requires students to have passed the syllabus of Nordic Computer Forensics Investigators Level 2 (NCFI 2) or equivalent education.

Course Structure

The whole study program is accessible for on-campus and remote students (note: some presence on campus is required of all students, see section on “Study methods”). It is mainly organized as a web-based, online program. The teaching methods emphasis a student-centered learning via Internet. The study program is delivered via an online learning-management system with a focus on pedagogical methods that generates student activity, such as a virtual computer laboratory. The working methods of the program are intended to provide students with individual learning primarily yet may also opt for peer interactions, and in particular highlight the link between theory and practice.  

All previous courses have to be completed before starting work on the master thesis (an exception of 10 missing credits may be tolerated at the discretion of the director of the study program, but only if the missing credits are not relevant for the topic of the master thesis).

The tracks Corporate forensics and Cyber operations have all courses as mandatory. The track Digital forensics and cybercrime investigation has elective courses in semester two, three and four, where the elective courses offered depend on the interest of students in this track but also on the interest of students in other study programs these courses are a part of. Which of the courses Windows forensics, Apple-device forensics and Forensic tool development are offered in each of these semesters will be announced before the beginning of the semester. In other words, students will be offered to take all three courses but the sequence of these courses is not fixed.

Study methods

  • Lectures
  • Exercises
  • Assignments
  • Project work
  • Essay/Article writing
  • Independent study
  • Lab exercises

The Experience-Based Master program in Information Security makes extensive use of flexible distance study methods. Every course contains the whole study material in digital form available online, via a learning-management system available to the students once enrolled in the program. Some courses use online or home exams, while some exams may require physical presence on campus. In general, on-campus presence is required two to four times per semester.

Technical Prerequisites

The students are expected to have access to an updated computer and broadband Internet connection. Software that is needed is mostly freely available on the Internet. As for the practical computer skills, it is expected that the students are capable of using any contemporary operating system (Microsoft Windows, GNU/Linux, Mac OS, etc.) both with a graphical user interface and a command-line interface. Some of the courses in the Digital forensics and cybercrime investigation track require students to have access to a Mac OS X computer and a Windows computer. For the tracks Corporate forensics and Cyber operations, students need to have some programming experience and should be able to read and understand assembly language.

Table of subjects

Experienced-based Master in Information Security: Cyber Operations track

Coursecode Course name C/E *) ECTS each. semester
  S1(A) S2(S) S3(A) S4(S) S5(A) S6(S)
IMT4113 Introduction to Cyber and Information Security Technology C 7.5          
IMT4110 Scientific Methodology and Communication C 7.5          
IMT4116 Reverse Engineering and Malware Analysis C   7.5        
IMT4123 System Security C   7.5        
IMT4204 Intrusion Detection in Physical and Virtual Networks C     7.5      
IMT4114 Introduction Digital Forensics C     7.5      
IMT4213 Cyber Tactics C       7.5    
IMT4214 Cyber Intelligence C       7.5    
IMT4905 Experience-based Master’s Thesis C         15 15
Sum: 15 15 15 15 15 15
*) C - Compulsory course, E - Elective course

Experienced-based Master in Information Security: Corporate Forensics track

Coursecode Course name C/E *) ECTS each. semester
  S1(A) S2(S) S3(A) S4(S) S5(A) S6(S)
IMT4113 Introduction to Cyber and Information Security Technology C 7.5          
IMT4114 Introduction Digital Forensics C 7.5          
IMT4130 Cybercrime Investigation C   7.5        
IMT4116 Reverse Engineering and Malware Analysis C   7.5        
IMT4204 Intrusion Detection in Physical and Virtual Networks C     7.5      
IMT4110 Scientific Methodology and Communication C     7.5      
IMT4128 Socio-technical Systems Enabled Crime C       7.5    
IMT4215 Experience–based Specialization Project C       7.5    
IMT4905 Experience-based Master’s Thesis C         15 15
Sum: 15 15 15 15 15 15
*) C - Compulsory course, E - Elective course

Experienced-based Master in Information Security: Digital Forensics and Cybercrime Investigation track

Coursecode Course name C/E *) ECTS each. semester
  S1(A) S2(S) S3(A) S4(S) S5(A) S6(S)
IMT4114 Introduction Digital Forensics C 7.5          
IMT4012-PHS Open Source Forensics C 10          
IMT4128 Socio-technical Systems Enabled Crime C   7.5        
Elective, 10 ECTS E   10        
IMT4110 Scientific Methodology and Communication C     7.5      
Elective, 10 ECTS E     10      
Elective, 7.5 ECTS E       7.5    
IMT4905 Experience-based Master’s Thesis C         15 15
Sum: 17.5 17.5 17.5 7.5 15 15
*) C - Compulsory course, E - Elective course

Elective Courses for Experienced-based Master in Digital Forensics and Cybercrime Investigation

Coursecode Course name C/E *) ECTS each. semester
  S1(A) S2(S)
IMT4013-PHS Windows Forensics E 10 10
IMT4504-PHS Apple-device Forensics E 10 10
IMT4505-PHS Forensic Tool Development E 10 10
IMT4130 Cybercrime Investigation E   7.5
IMT4215 Experience–based Specialization Project E   7.5
Sum: 0 0
*) C - Compulsory course, E - Elective course