Papers
This article examines the impact of a cross institutional faculty research mentorship program in Information Assurance (IA) on teaching and research at participating institutions. In this NSF funded project, security researchers invite community college and junior faculty to work jointly on research problems in IA and security. The program aims to enhance teaching in security at institutions in the Maryland Alliance for Information Security and Assurance (MAISA) through research. Its underlying philosophy is that research should inform teaching and teaching should, in turn, inform research.
Our institution prepares young men and women to enter military service each year. All of these officers are immediately integral to the ongoing conflict in cyberspace. Every mission in today’s military relies on cyberspace for successful accomplishment and every military member is an integral part of the day to day defense of our networks and information assurance. Every graduate of our institution must understand the art of the possible in the information and cyber domains and be prepared to integrate information and cyber techniques into ongoing operations to achieve the desired effects on the adversary.
Recent reports and testimonies to the U. S. Congress have brought into the public eye the massive extent to which U. S. information systems are penetrated by hackers and cyber spies. One recent report provided evidence that U. S. based university information systems are being used by cyber spies as collection and dissemination points for the fruits of their labors. These discoveries are leading to increased federal information security regulations. This report examines the current state of the use of systematic, well-formulated information security plans by colleges and universities.
A new systematic approach to information systems security education is proposed that includes the concepts of target, system and threat. These concepts cover the complete security context, and allow the Asset Protection Model (APM) the ability to define information systems security in a specific context. The APM is based on existing, well-established information assurance models. The APM provides cognitive support as well as a static and dynamic view of the model information.
Web application security has been an emerging topic while an increasing number of commercial applications are web-based. We are developing a new secure web development teaching tool, called SWEET (Secure WEB Development Teaching), to teach the students about web application security based on the life cycle of the application development. This paper describes the development of SWEET and provides an example of laboratory exercises on secure web communications. Experiences of incorporating SWEET in Information Assurance courses are also discussed.
This paper discusses how news stories are integrated into an introductory course on Computer Security and Ethics. The main emphasis in this paper is on two assignments that relate to computer security in the news. Special attention is paid to the second of these two assignments. This requires that students create a blog containing links to security news stories along with commentaries on those news stories. This blog is maintained through the entire semester. All of the students who chose to do this assignment during the fall 2009 semester have expressed enthusiasm for this project.
Many universities and community colleges with an Information Assurance major or concentration include a course or modules of a course covering the topics of law, ethics, and the affect of information assurance solutions on laws and ethics. In this paper, we discuss how we have applied an active learning approach to our course, “Legal Impacts of Computer Security Solutions”for both undergraduates and graduate students using the traditional classroom as well as an online learning environment.
The focus of this paper is to discuss observations and common issues that exist with respect to information assurance in rural and urban environments. Due to an often limited prior exposure to computer technology before starting college, students in rural and urban areas begin their studies with an experience deficit that provides an easy attack vector for identity thieves to exploit. In addition to potentially significant personal harm to the individual, losses that result have a negative impact on society. We propose an interdisciplinary approach to address the problem that incorporates the use of case studies to promote discussion and awareness in at risk student populations.
The fast growing demand on information security education, both in terms of the numbers of courses and students, presents a major challenge to developing and maintaining a laboratory facility that reinforces concepts and skills taught in class with hands-on experiences. In this paper, we present an approach for designing a Virtual Security Lab (VSL) that allows students to access the lab resources through Internet. The feedback from students enrolled in computer forensics class showed the positive results of using VSL for this course. Our experience provides valuable lessons for security education.
The Cyber Patriot National High School Cyber Defense Competition has completed its second pilot year. Results have been very promising with 170 schools participating in the 2009-2010 school year. Much, however, still needs to be accomplished in order for the competition to be a truly national competition. This paper will discuss the Cyber Patriot program, what has been accomplished, what is planned, and what is needed for it to be a national program. The paper will also discuss the ties between this program and the National Collegiate Cyber Defense Competition and how the relationship will benefit the competitions specifically and the state of cyber security education in general.
This paper describes an integrative approach for teaching information systems (IS) security issues within an IS strategy and policy course. The educational strategy is to get students involved in thinking critically about information systems (IS) security issues in an executive role. The educational goal is for students to develop an information systems plan, thinking about security issues early—that is, while information systems are in the planning stage—and in concert with the all-too-often compartmentalized topic of ethics. The result is a strategic security planning module. The educational approach is described and outcomes mapped to a pair of accepted information security education standards.
Despite the continuous hard work that educators and organizations undertake to develop the skill-base necessary to defend our national assets, it has become increasingly obvious that the United States and the rest of the world are ill prepared for an all out cyber attack. One very valuable contribution to creating a workforce capable of addressing this important issue is the cyber defense exercises which simulate the very environments our students will be charged with defending in their careers. In this paper, we explore cyber defense exercises from an educational perspective and investigate how recent work in this area can be leveraged to improve the security posture of the nation.
This paper describes an undergraduate certificate in Information Security that supplements the Baccalaureate degrees in Computer Science and Technology and Information Systems at Radford University with comprehensive coverage of information security. The paper presents the rationale behind our decision to develop a certificate and discusses the issues we encountered while developing and implementing the curriculum for the certificate.
Interdisciplinary collaborations are transforming the way we learn and the way we teach. This article is about expanding the congruent and often overlapping domains of Information Assurance and the Law. While IA curricula pay some heed to the effect of legal matters on security procedure and outcome, the curriculum has been heavily focused on computer science and management information systems. Through greater co-operation we feel that IA curricula may gain tremendous enrichment and increased understanding, not only of the Law, but of issues central to IA.
There has been a standard curriculum for Information Systems programs since the introduction of the DPMA Model Curriculum in 1981. Security management has been an important ingredient in all of the Information Systems curricula. For example, in the 1981 curriculum the CIS-13 course was titled EDP Audit and Controls and was taught much like it would be today, except the techniques were applied only to main-frames. The CNSS 4012 certification, for Senior Systems Managers is a natural certification to be added to an Information Systems program.
This paper describes a project to use a virtual team approach to add information security topics to two graduate courses where these topics are not the primary focus, using student teams from those two courses working with students enrolled in an information security management course. Students worked on development of an implementation plan involving security issues for a fictitious business case. Results indicated increased security awareness of students in all three courses by the end of the semester, based on pre-test and post-test results.
As networked computers become more accepted in businesses and homes, so has the recognition for a need to improve and simplify computer security, increase access to information, and ensure that data is not compromised. Leading the way in this effort is the U.S. Government, which focuses its efforts on what it defines as information assurance. One aspect of information assurance programs in both public and private organizations is workforce awareness training. The U.S. Government’s Department of Defense mandates such awareness training annually to all employees and contractors who use their information technology systems.
The security injections project at Towson University proposes to “inject” security across the foundational and upper-level courses at universities and community. To achieve this, we and our partner institutions design and develop a series of strategically-placed, security-related, self-contained modules to be used in classes. An easy to use web portal serves as the repository and dissemination medium for modules targeted at computer literacy, CS1, CS2, and other courses. To date, this project has reached over 1000 students and we have held training workshops attended by 45 instructors at 5 institutions. Assessment instruments for student learning have been designed and controlled experiments with 19 classes in three institutions have shown promising results.
Training students in cyber defense requires an educational model that includes instruction, exercise, competition and certification. To be qualified, the student will need to not only understand the techniques and technology of cyber defense, but also be tested in a live environment, under stressful conditions, in their ability to maintain critical services, while thwarting real-world attacks. As the educator preparing this individual, what curriculum, tools and technologies are required to train and challenge your students from basic instruction through certification?
With the increase of information security programs and curricula, a number of laboratory experiments or exercises, laboratory-based courseware or courses have been developed for information security education. While most of the existing laboratory exercises/experiments focus on security issues in a wired network, this paper describes a series of laboratory exercises we’ve developed for demonstrating wireless network attacks and defenses using common open source tools. These laboratory exercises demonstrate the following concepts or methods: wardriving, eavesdropping, WEP key cracking/decryption, Man in the Middle, ARP cache poisoning, MAC spoofing and defense techniques of some of the attacks.
Designation as a National Security Agency/Department of Homeland Security Center of Academic Excellence requires a campus wide commitment to information assurance curricula as well as a rigorous application process. This article describes one institution's lessons learned in the application process from initial decisions to apply though to final application submission.
To address a perceived lack of availability of educational resources for students and teachers in the field of information security, and advance the quality of information security education in general, our institutions have begun development of a web portal to house information security related educational materials, research and virtual exercises, as well as provide links to other resources. This portal is termed the PRISM, Public Repository for Information Security Materials This paper details the initial vision for the PRISM repository, outlines user interface, technical, and personnel requirements, and discusses some of the more interesting aspects of implementation including access control provisioning, and protocols for content submission, review and classification. Current status of the project is also presented, followed by a brief overview of near-term future plans.
Generally discussions of digital signatures, cryptography and computer security focus on the complicated technical details behind the systems. Students are often led to the false conclusion that such systems are truly secure. We describe a very simple Trojan horse attack on a Department of Defense digital signature system, and how its demonstration in the classroom led to an improved understanding of weaker links in the security trust chain, and a healthy skepticism of security claims.
The Computer Science Department at Boston University Metropolitan College offers a sequence of two graduate courses on cryptography. Being mathematical in nature, they lay down a solid foundation of knowledge that can be utilized in semester projects. Two projects are designed which tie together the concepts from both courses to implement real world scenarios in public key infrastructure and web of trust modeling. Several cryptographically secure algorithms are required to be implemented by students to successfully complete these projects.
Virtualization is gaining popularity as a way to offer a more flexible platform for providing hands-on laboratory experiences. Until now most organizations have been much decentralized in the manner of building and providing the virtualization infrastructure. This is not a desirable approach due to the duplicated efforts made in reinventing the wheel. A more efficient approach is to have a template or standard from which practitioners can build their respective customized versions.
The TCP three-way handshake can be used as a pedagogical tool when teaching network security in an introductory course in information security. I use it as a common theme that runs through various network security topics so that it is easier for students to grasp new concepts while reinforcing old knowledge. This paper describes the rationale for so doing and shares examples of some learning tools I created in this respect.
Many security vulnerabilities are caused through flaws in the developed software. We investigate the hypothesis that using a structured software development framework reduces the flaws introduced by programmers, leading to more secure software. To test this hypothesis, we conducted an empirical study comparing applications developed using Struts I, a widely used framework for Java-based web applications, against applications written in JSP/Servlet. Our results suggest that a structured framework may reduce security vulnerability density, mainly as a result of using libraries that abstract away low level API calls. Modular design, e.g. the MVC model, had only a modest impact.
Spear phishing, targeted e-mail that attempts to extract sensitive information without authorization, is a growing concern for individuals who need to protect their personal information and companies that need to safeguard their intellectual property. Technical controls on networks and systems cannot totally prevent spear phishing e-mail from reaching users’ e-mail inboxes, thereby requiring the e-mail recipients to understand how to recognize spear phishing attempts. To underscore the risks and importance of handling spear phishing e-mail appropriately, a security awareness method with immediate impact is needed.
Security has become an increasingly important topic in software engineering. In this paper, an approach of using the workflow technology in teaching secure software engineering courses is presented. This approach can free students from low level tools manipulation and command line interactions so that students can focus on learning the important secure software principles. Four case studies using the workflow technology, including using a local static analysis tool for code review, using a remote tool for code analysis, integrating local and remote tools, and implementing a web service fuzzer for penetration tests, are presented. Our educational practice has shown that the benefits of using the workflow technology in teaching secure software engineering classes have been well received by the students.
Developing realistic cyber training environments enables hands-on training of cyber security topics in a controlled fashion. Cost, space, time, and reproducibility are major factors that prevent large-scale network replications for individual training purposes. This paper discusses the ways that existing virtualization technologies could be packaged to provide a more accessible, comprehensive, and realistic cyberspace training and education environment to the individual user. The paper maps ways of merging two existing virtualization methods in order to leverage the unique benefits that each type of virtualization technique provides.
The need for skilled information assurance (IA) professional requires educational programs that impart both theoretical knowledge and practical skills through hands-on lab activities. Students need to develop skills by conducting security related experiments or hands-on lab activities in safe and isolated systems and networks environment. Furthermore, more and more information technology (IT) professionals who want to earn graduate level training in IA are likely to be enrolled in online programs and classes. Hence, providing remote access to labs becomes a necessity for this population of students.
We present an extension of our virtual laboratory series with a new module that examines vulnerabilities in operating systems. These virtual laboratories ail to (i) model real world situations and bring together concepts from different knowledge areas, (ii) integrate theoretical knowledge and practical skills, and (iii) give students the opportunity to execute the laboratory on virtually any system and experiment anytime, anywhere in a secure easily accessible environment.
Copyright © 2024 CISSE™. All rights reserved.