Papers
In this paper, we present our experiences of the first phase of our proposed two phase project for incorporating standardization and virtualization approaches in the undergraduate and graduate computer security courses and curriculum at pilot universities and various community college institutions. We detail as a case study our experiences by developing a model for generating faculty, laboratory instructor and most importantly student interest in imparting and disseminating computer security education.
Several educators have noted the benefits of providing students a hands-on experience in security education. Different approaches, such as traditional labs, competitions, virtual labs, and simulated web labs have been proposed. At our institution, we have used a variety of different approaches over the years and have concluded that the best approach depends on the complexity of the concepts being taught and the student background in the area. As a result, we now use a combination of lab approaches based on the subject. This paper will describe the different ways of providing hands-on labs, our decision process for the appropriate format, and our experiences with using this approach.
In the area of computing, there are a plethora of curricular and training standards that attempt to define content for a computing curriculum. In addition, there are several accrediting bodies and standards. The task of building and maintaining a degree program aligned with one or more of these standards is a daunting one. Maintaining the appropriate documentation for managing such a process is time-consuming and space-intensive.
The demand for information systems security education has never been higher, while the availability of high-quality information systems security instruction and of well-qualified instructors are both extremely limited. Meeting the demand requires converting teaching from an individual activity to a community-based research activity. As a result, Carnegie Mellon University’s Open Learning Initiative and the Software Engineering Institute’s CERT® Program have collaborated in the development of an online secure coding module that exemplifies how to capture expert content, ensure high-quality learning, and scale to meet rapidly growing demand. This paper describes this effort and how high-quality information systems security instruction can be scaled to meet existing and projected demand.
A number of cyber security competitions currently exist. Some are aimed at high school students, some at professionals, and some at security professionals. By far the largest number of competitions take place at the collegiate level. Currently there is very little that ties these competitions together and at times it may seem that the competitions themselves are competing against each other. For these competitions to take the next step toward establishing themselves collectively as a recognized competition program they need to come together and establish a Collegiate Cyber Security Championship Cup and the program that would run it.
The modern world of computing familiar to most college students is one based on mobile devices that rely increasingly on cloud storage. In this world, all students need to have a conceptual and practical understanding of the inherent computing, data, and privacy/security issues involved, but most institutions treat CyberSecurity education only as part of the institution’s computing or information security curricula. At best, most students are introduced to this modern world through superficial courses on using mobile devices. The authors propose to make computer security and information assurance part of the general education for all undergraduates.
Computers have controlled physical systems for decades, but increasingly today, these systems are being interconnected to enterprise IT systems via the Internet. The reasons revolve around efficiency, but the practical matter is that IT personnel are encountering these non-standard IT systems and must learn to integrate them into their operational world. To introduce students to the world of SCADA networks and protocols, together with the operational and security requirements, a laboratory facility is designed and constructed with accompanying curriculum.
Discussion on cyberwarfare or information warfare has been dominated by visuals of high tech command centers with giant plasma screens. Tactical exploitation of captured enemy digital devices: laptops, handhelds, PDAs, cell phones, etc. is sometimes neglected. One of the growing challenges posed by the growth of digital information and digital devices is how to train the existing combat force for safe exploitation of captured digital devices. Auburn University researchers have been participating in an ongoing training effort to re-task injured service members to serve as digital investigators.
Current information security education approaches tend to focus on theories and concepts. Although these conventional education strategies have their own advantages, students can also benefit from pedagogical strategies that are more interactive and scenario-driven. In particular, the current net-generation of students are often more likely to prefer learning in a feedback-rich and contextualized environment. Therefore, an environment in which learning occurs in a game-like context can be highly effective in teaching students information security topics, especially in introductory courses.
Tasked with a goal of increasing profits for their shareholders, corporations are fleeing to the cloud to help defray some of the costs of doing business. Unfortunately, much of this mass migration is being done without adequate consideration for the security implications of moving to a potentially multi-jurisdictional environment. In this paper, we explore cloud service consumers from an educational perspective and provide discussion of some scenarios that can be used in an academic setting to increase awareness of some of the important security considerations that should be investigated prior to making a move to a cloud platform.
Information security is a topic of frequent discussion within the larger community of information systems (IS) and information technology (IT). The high cost of information security breaches heightens the importance of information security within all levels of an organization. However, despite this reality a need exists for qualified information security professionals to fill these important roles within organizations. This paper presents a competency based approach to information security education. Competency based education provides a mechanism to allow individuals to obtain an education within a particular field not by completing a certain number of seat hours, but instead by demonstrating competency in the required subject matter.
Rule development for Snort, which is one of the most popular network intrusion detection systems, is a critical skill to detect ever emerging new cyber attacks. This paper describes a Snort lab that helps students to learn Snort rules effectively. For beginners, it is difficult to determine if a rule is correctly written without being able to test them in a realistic setting. The uniqueness of this hands-on learning lab is that it allows students learn how to write Snort rules by testing and debugging their rules against the live network traffic replay. The lab requires students to learn and apply various features of Snort rules to successfully detect the intrusions. The intrusion traffic packets are real captures that were downloaded from various sources on the Internet.
This paper presents the results of the National C3 Baseline Study conducted with 1569 educators and 94 technology coordinators from a web-based instrument. Educators and local education agency (LEA) technology coordinators/directors also responded to an open-ended survey question. Additionally, qualitative data were collected by group and individual interviews. The purpose of the survey was to explore the nature of Cyberethics, Cybersafety and Cyber- security (C3) educational awareness policies, initiatives, curriculum and practices currently taking place in the U.S.
The vulnerability of users to social engineering is well known, however very few techniques have been developed to successfully mitigate the threats users unwittingly expose our infrastructure to. Annual training and awareness campaigns have done little keep users vigilant against the many forms social engineering, especially phishing emails. Phishing is regarded as one of the most effective social engineering attacks. In this paper we describe an effort to increase the awareness of users through a campaign of training, policies, and assessment.
To address criticism of higher education pedagogy, scenario-based learning (SBL) is presented. Principles and learning methodologies from experiential learning theory are reviewed.The authors present practical methodology for a sample scenario incorporating scenario based learning.
Colleges and universities that teach Information Assurance (IA) skills are beginning to address the ethical issues associated with this academic discipline. There is a potential that IA skills might be misused to commit criminal or terrorist acts. Schools are beginning to consider the financial and ethical liabilities of their students misusing the technical, business, and legal skills that they learned at that school. One dilemma facing educators is whether a student with a criminal background will revert to criminal behavior and use their newly acquired IA skills for illegitimate purposes. Having criminals with the same knowledge and skills as the professionals investigating their illicit activities will seriously complicate solving these crimes.
Service learning enables students to provide real service to the community as part of their learning/educational experience. Service learning can take many forms in security, including maturity assessment, security planning, awareness training, product research, product evaluation, and facilities or procedural audit. These projects help students learn to communicate with non-technical staff, apply security training, obtain experience in a real world environment, develop professional documentation, and contribute to their neighborhood. This paper describes the benefits and challenges the author has experienced for each type, but also discusses tools that can help security instructors in implementing service learning in their security courses.
Each year hackers exploit hundreds of vulnerabilities in software, yet the same vulnerabilities continue to appear in code, over and over again, and many educational institutions continue to teach programming as they always have. Companies, such as Microsoft, have found it necessary to conduct secure coding training classes to make up for the absence of the subject in college-level curriculum. Reasons for this lack are many, but our research is motivated by one major barrier: instructor lack of time to convert existing, well-developed curriculum to include secure coding concepts. To address this issue, we have developed an approach that applies the 4+1 Views software re-engineering technique to transform source code that does not incorporate any security concepts, into source code that can defend against attacks.
It is of increasing importance that we incorporate security and cryptology in both the undergraduate and graduate curriculums. This paper introduces cryptology in the framework of general cybersecurity and advocates that it is an appropriate mechanism for introducing security issues into the classroom at all level of the curriculum. A practical free software package called CrypTool which can be a major asset in any attempt to teach cryptology to a range of student audiences is presented. Applications and classroom experiences using CrypTool are discussed along with some student feedback.
Many computer security programs supplement their courses by providing labs to fortify concepts being taught, however, often these labs are taught in isolation and do not allow students to see the complexity of integrating a systems of systems architecture. The “seams” of these security systems are where deep learning happens and where attacks slip through. This paper discusses a capstone course designed to help students integrate security systems with all of its interconnecting parts and see the importance of putting these pieces together securely.
The effort to secure cyberspace continues unabated. Yet, losses continue to mount. If we are to gain ground in this effort, we must understand our adversaries and the mechanisms they use to inflict losses. When we know the threats facing our information assets and the potential losses the assets face, we can begin to build more effective defenses using well defined risk management methodologies. This paper examines top computer executives’ perspectives on current threats to information security, and compares those threats to a previous study from 2002.
Student participation in cyber defense competitions provides an environment different from a normal classroom/lab situation and thereby providing an opportunity for alternative learning and motivation. These competitions are characterized by intense three-day situational exposure to real-life network management, administration and security issues. This experience appears to increase motivation and engagement in student’s learning. Students who participate in these competitions gain a perspective of the limits of their current knowledge, the benefits of a more extensive understanding of technical concepts, and the significance of integrating content from a number of areas.
The penetration testing process, or the evaluation of a system for potential vulnerabilities, is a crucial factor in ensuring system security and stability. At its core, this process involves the art of analyzing and subsequently decomposing an inherently complex system into its constituent interoperable subsystems. It seems intuitive that, for the purposes of standardizing and expediting this process, one might employ the use of the very tools used in the construction of a target system in its decomposition. To that end, our team has chosen to use a sufficiently robust architectural modeling framework – the Department of Defense Architecture Format (DoDAF) – to aid in the decomposition of a sufficiently complex, black-box system in the context of the penetration testing process.
The National Security Agency (NSA) began designating colleges and universities as Centers of Academic Excellence (CAE) in 1998 if they met several criteria [1]. The Department of Homeland Security (DHS) now works with the NSA to designate schools as centers of excellence. CAEs must be able to map their curriculum to the government’s standards and demonstrate they have the faculty, organizational structure, scholarship, and commitment to developing a rigorous program. The schools committing resources to obtaining this designation are making a major multi-year commitment and need to get a return on investment. Many schools assume that this return comes in increased student enrollment. To justify this assumption, this project will attempt to determine if the CAE designation impacts the school selection of students.
Copyright © 2024 CISSE™. All rights reserved.