Papers
The US National Security Agency (NSA) established a program in Information Assurance education in 1999 that established Centers for Academic Excellence in Information Assurance Education (CAEIAE). While designated a success by the government, the program has been criticized over the years by program participants as less than optimal. In this paper, we review the program and identify the most serious problems. We then suggest possible solutions to these problems in order to improve the program so that it represents true excellence in IA education.
In this paper we introduce a framework that provides a model for describing security measures and their relative effectiveness as well as importance. This model enhances computer security training and educational curriculum by providing experimental data and analysis to educators and students. Business environments will benefit from this model by enabling more cost effective allocation of scarce IT and security resources. Additional benefits include but are not limited to better development of operating systems, applications, and user interfaces.
In this paper, we present a new pedagogical tool called AEGIS for educating college students about the importance of patch and vulnerability management. The tool is designed and developed in a bottom-up fashion by a group of eight students in accordance with the NIST patch and vulnerability management guidelines. Experience gained while devising various subcomponents of AEGIS could provide students with the much needed hands-on practical training in security and system administration curricula. Lastly, the possibility of using AEGIS as an educational tool to teach and assist day-to-day users with patch and vulnerability management is explored.
This paper discusses the need to develop a common understanding of a curriculum which prepares students to practice in the field of Information Assurance (IA). A study of public documents, congressional hearings, published papers and conference presentations regarding the state of cyber security in America was conducted to discover commonality regarding cyber security education and training. The document review discovered, within academia, information assurance education is not consistently approached; there is a lack of definition and corresponding need for specificity regarding information assurance curriculum. Furthermore, a nearly decade long government call to action for academia to produce increasing numbers of information assurance professionals may not have come to full fruition.
United States (U.S.) government agencies and defense contractors are the target of extremely complex foreign state-sponsored cyber attacks referred to as the “advanced persistent threat.” These attacks are intended to steal sensitive information, such as national defense, research and development, and personal information. While the techniques for information gathering to determine targets (both information assets and people) may be complex, a common method used for infiltrating networks is simple social engineering. Technical controls may be used to tighten access controls but are not the total solution. Changing employee behavior through security awareness is required.
The number of tertiary institutions gaining recognition as a Center of Academic Excellence in Information Assurance has increased steadily since its inception. Although there is some debate on the desirability to align ‘university education’ with training standards and certifications, such recognition provides a baseline of skills and knowledge upon which the information security industry may rely. The task of developing IA curriculum to meet the needs of the standards compliance is a detailed and time- consuming task, with much duplication of effort across educational bodies. This paper presents the idea of using lab exercises to meet the needs of the CNSS standards, which form the basis of the CAEIA requirements and at the same time provide a meaningful and interesting learning experiences for the students.
While the emphasis on computer security education within specialized courses is easy to justify and achieve, it is much more challenging to introduce these concepts across the computer science curriculum to begin to “change the culture” of computer science students in order to create a foundational appreciation for and understanding of computer security issues. This paper describes some techniques that have been applied in early computer science programming courses at the University of Alaska Fairbanks to facilitate computer security education among beginning programming students through the use of computer security-focused programming assignments. This provides a mechanism for strengthening computer security skills within the scope of the traditional course content to foster an awareness of information assurance concepts.
The Maryland Alliance for Information Security Assurance (MAISA) is a consortium of 15 community colleges, colleges, and universities led by Towson University. By working collaboratively, we have been able to strengthen our information assurance education programs. We present our consortium, and describe some of our current projects and the effects that they have had on our information assurance education programs.
Despite its clear and growing importance, computer security education is often relegated to a secondary role in undergraduate curricula. Exposure to computer security concerns is often limited to specialized courses and tracks that reach only a small percentage of students, often late in their academic careers. Effective security education approaches must engage more students earlier in their education.These techniques must be adaptable to fit the needs of differing educational institutions and student bodies. Our earlier work with checklist-based security lab modules in CS0 and CS1 provides a basis for a model that can be applied throughout the undergraduate curriculum and at a wide range of institutions.
This paper provided an example for the development of an interdisciplinary Information Technology (IT) Auditing curriculum by mapping the CNSSI /NSTISSI standards with the prevailing ISACA IT Auditing Model Curriculum. IT Auditing involves assisting public or private organizations in ensuring that their information technologies and business systems are adequately protected and controlled. Consequently, IT Auditing professionals need to have a solid grounding in information technology, information assurance, auditing process, as well as regulatory and compliance frameworks. Through our standard mapping processes, we were able to discover the discrepancies between IA and Auditing and proceeded to redesign our current IA curriculum.
In this paper, the Information Assurance Exercise that has recently been developed at Auburn University will be discussed. This educational exercise provides Auburn University with a means to foster student interest as a potential area of study in information assurance as well as Computer Science. This sort of high speed, low drag exercise is designed to be a student’s first exposure to real information assurance practices and demonstrates the stark differences between setting up a virus scanner on a home computer and the level of effort required in securing an enterprise level system. Optional courses in information assurance and computer forensics continue to grow at most universities.
Despite state-of-the-art technologies and enhanced organizational policies, the security of corporate data is not a guarantee. The possibility of the failure of security, however, is. Given the certainty of failure, it is surprising that information security curricula do not include post-incident reviews to gather the lessons learned from failure and to better prepare students to enter the workforce ready to plan for and manage security incidents.This paper proposes that undergraduate and graduate courses in information security include the topic of failure, and address the performance of a post-incident (post-mortem) review as a best practice.
This article provides an overview of an actual application for the National Center of Academic Excellence in Information Assurance Education (CAEIAE) program designation, by one university. Each institution is unique and the experiences provided here are illustrative only. The key to success is providing evidence for each major area of submission. The use of electronic resources, Uniform Resource Locators (URLs) /addresses are emphasized. Applicants can best serve their efforts by assisting NSA evaluators and reviewers with artifacts and verification. The authors have noticed at previous CISSE annual meetings this subject is not well addressed.
The University of Findlay(UF) is located in a small city in northwest Ohio, with an active business community and strong ties between the university and local business leaders. When a committee of the local chamber of commerce decided to benchmark technology use in the local business community, a partnership developed with the Center for Information Assurance Education at UF.
Information Systems Security (ISS) has become increasingly an integral part of our lives. Accordingly, there is the need of increasing awareness of this issue in the society, increasing the workforce capable of meeting the corresponding challenges, and increasing the diversity of such workforce. Academic institutions are in the forefront of this challenge and are best equipped to fulfill the aforementioned goals. Understanding this need, Polytechnic University of Puerto Rico (PUPR) has taken various steps to address this problem. In this paper, we share the advances of ISS education at PUPR and the steps taken to be recognized as a national center of Academic Excellence in Information Assurance Education (CAE/IAE).
We argue that information security can and should be covered in the majority of core computer science courses, both at the undergraduate and the graduate level. One benefit of taking this approach is to strengthen our student's understanding of the various security problems in computing, as well as eliminating many of the security-critical computing habits that are often reported to be had by many IT professionals (especially the production of vulnerable software) early by educating our computer science students, from the very beginning, on the need to keep security in mind when using, designing, developing, and maintaining computing resources.
This paper describes an undergraduate course in software engineering which introduces students to a variety of approaches to developing software. These include PSP, CMMI and agile processes, such as XP and Scrum. An important element in the course is getting students to consider how security issues arise during the software development process. Security issues are raised with respect to the software processes themselves,as well as in our discussions of professional responsibilities, ethics, work culture issues and quality assurance.
The Department of Information Networking and Telecommunications has offered a capstone class for twelve years. 2008 was the first time that students from the two-year old Information Assurance Emphasis reached the course. With guidance of faculty and support from an industry partner, a team of IA students conducted valuable research studying wireless Wi-Fi 802.11 security deployment practices. This paper examines the purpose and design of the class and the results arrived at by undergraduate students. It describes the learning of both the students and faculty. This paper provides evidence that undergraduate students can conduct quality IA research within this type of class structure.
This paper describes the author’s undergraduate Introduction to Computer Security and Ethics course. The main focus of this paper, beyond providing an overview of the course, is on how events in the news impact the course content. It also describes the author’s efforts to motivate students to pay attention to current events and to understand the importance of developments in Information Assurance for our global culture. Two specific student assignments, relating to current events, are described.
Student research can be a powerful educational tool whose benefits are touted by educators at both the graduate and undergraduate levels. Providing a meaningful research experience at the undergraduate level faces several challenges as students are less academically mature, have limited time, and do not have an extensive knowledge base to draw from. Creation of a successful research experience as part of a course project requires careful planning in terms of available topics, project structure, and faculty oversight. At the Air Force Academy, we teach a hands-on senior level security course with a final project. We have structured the final project to attempt to provide a realistic research experience for our students.
Information is a critical business asset, which depends on protection by competent system administrators experienced in real-world environments and threats. With the cyber threat increasing, we need a meaningful way to train, and certify, the level of cyber competency. A cyber-defense curriculum and live-fire trainers that quantify a student’s performance are essential to the survival of our “Information Age” critical assets.
Software flaws are a root cause of many security vulnerabilities found today. Empirical evidence suggests that teaching developers techniques for secure software development can significantly reduce security vulnerabilities. Unfortunately, most Computer Science curricula, including popular textbooks, have paid little attention to secure software development. In this paper we discuss possible approaches to teaching secure software development in Computing Curricula. We also share our experiences in teaching secure software development, including laboratory exercises and assignments.
The ASCENT security teaching lab provides both graduate students and undergraduate students at the University of Texas at Arlington with an opportunity to get hands-on education in both attack and defense. We developed the lab over a two-year period and have learned valuable lessons from its development and use by students. In this article, we examine the design of the lab infrastructure and the use of laptops, the design of exercises, the role of virtualization, and the use of capture the flag exercises. We also discuss the use of our labs in classes conducted at a large software company in India.
Wireless sensor networks (WSN) are used for military as well as commercial applications due to ease of deployment and low infrastructure cost. WSNs are being introduced for collecting patient data in healthcare and sensitive data in military applications. Hence, sensor security remains a major concern and is a challenging research area in the wireless networking community.In order to provide our undergraduate students an opportunity to exercise his or her creative side before graduation and encourage innovation and creativity, faculty at RIT have developed a course in wireless sensor network security. Our goal is to provide our undergraduate students with research experience and seed their research capability in an emerging networking area.
Copyright © 2024 CISSE™. All rights reserved.