Papers
Tasked with improving enrollment and retention, institutions of higher education are increasingly utilizing online delivery in the battle to attract and retain students. Understanding effective online practices can improve the learning experience for both students and the institution. In this paper we describe the results of two studies whose purpose was to identify some best practices in online delivery of master’s level information assurance education utilizing a hybrid synchronous (real-time) and asynchronous delivery method.
In early 2012 the Information Assurance Courseware Evaluation (IACE) program certified a textbook as conforming with the training standard for information security professionals. The textbook was specifically developed to cover the training standard's requirements with the sole prerequisite of a basic computing course. This posed a series of challenges. The curriculum standard, published in 1994, does not attempt to outline an effective course of study and it is out of date in many ways. Some required topics are unlikely to appear in introductory or second-year courses. Moreover, the standard requires several technical topics whose details were previously classified and thus are poorly covered in the general literature.
In 2008, the director of the CIA Clandestine Information Technology office concluded that the US is short of 20,000 to 30,000 skilled cyber security specialists. At that time, there were to most reckonings only 1,000 experts. Yet there remains a relatively vague definition of what constitutes a skilled cyber security specialist and what skills such an individual should possess. In this paper we discuss what constitutes a cyberspecialist and how this differs from the typical view of Information Assurance and Security. We also note the connections between the cyber and physical domains. In conclusion we recommend key knowledge points and skills that we believe are key in securing, defending and protecting cyberspace.
Critical infrastructures such as the Supervisory Control and Data Acquisition (SCADA) systems have succumbed to the demands of greater connectivity. Although the scheme of connecting these critical equipment and devices to cyberspace has brought us tremendous convenience, it also enabled certain unimaginable risks and vulnerabilities. These risks and vulnerabilities are very critical to our daily existence and are perilous to ignore. This paper presents an overview of the vulnerabilities of SCADA systems. Also described are proof-of-concept methods of attacking some of these vulnerabilities.
Many Information Assurance courses include privacy topics. However, many of them do not address privacy issues systematically and comprehensively. Those courses do not offer students a complete picture of privacy from both data providers’ and data collectors’ perspectives. A coherent and consistent curriculum framework on teaching privacy needs to be defined. Moreover, students learn about possible invasion of privacy as a result of poor information system security, not about privacy as an essential principle in information systems. This paper discusses the importance of defining a consistent framework for teaching privacy in IA curriculum. Authors propose key learning outcomes and content modules, as well as two options to implement the framework. The framework can be used as a guide to design privacy courses and learning modules.
Online learning is expanding rapidly both for traditional student populations and for industrial and nontraditional student groups. This paper describes an experiment of migrating a computer security lecture course into a blended format, utilizing a combination of online and in-class delivery. The experiment was largely successful, but illuminated a number of factors to be considered in moving to an online format.
Our current computer and electrical engineering practices are insufficient to assure transactions through cyberspace. The critical flaw in these practices is mistaking reliability for security at the system design level. In this paper, we explicitly differentiate between reliability and security. We identify three pillars needed for an emerging cadre of cyber engineers, which include open-ended problem solving, cyber leadership and technical communication.
Constructivism is a learning theory that emphasizes learner-centered knowledge acquisition and assimilation. In this paper, I report my experience of implementing a constructivist learning environment in a Master’s course in information security. Following constructivist tenets, the implementation was composed of (a) a personal knowledge construction component culminating in a security presentation and (b) a social construction component in which students constructed knowledge with their peers. In addition to narratives of these components, potential drawbacks are discussed.
Recognized current industry demand for qualified software security professionals has fostered educators to develop innovative courseware that increases the ability of students to apply theory into practice and reflects what they have learnt in a real world context. This paper describes a reflective practice assessment task newly introduced in the Software Security Lifecycle course within the Master of Science (Cyber Security and Forensic Computing) program at the University of South Australia. The paper describes our experience in constructing this courseware task to balance the content of lectures and content of hands-on practicals delivered in our security laboratory during the specially allocated timeframe - an intensive week study workshop. It also provides preliminary students’ responses to the relevance of reflective practice in their assessment; and the overall impact of this courseware task on students.
Mission assurance is the assurance of the correctness,integrity, security, and availability of critical capabilities necessary to complete a mission successfully. National security depends on the integrity of command and control for military systems, the power grid, and financial systems. Thus, the alarming lack of personnel capable of doing mathematically rigorous specification, design, verification, testing, and procurement of trustworthy systems is a national weakness with profound implications for national security. This paper reports the results of a pilot program at the undergraduate level whose objectives include equipping undergraduate computer engineers and computer scientists with the theory, methods, and tools necessary for formal specification and verification of mission-essential functions in cyberspace.
To meet the growing demand for skilled professionals who can develop secure software, it is important to provide software security education to computer science students in colleges and universities. This paper describes a set of hands-on laboratory exercises we developed to teach software security. These laboratory exercises cover the following topics: code review with tools, web application vulnerability assessment, web spidering, exploiting hidden value, fuzz testing, and threat modeling. Our teaching experiences and related work are also discussed.
This High School Cybersecurity eLearning Pilot was conceived to address a significant national issue: the Science, Technology, Engineering and Mathematics (STEM) shortfall that does not appear to have an available solution. The Pilot demonstrated that U.S. educators currently have the resources to implement a national cybersecurity training program, whether as part of a school’s program, or conducted after school. From this experience, we have demonstrated that this shortfall can be immediately addressed through a formal curriculum, supported by a 24x7 online trainer technology, and procedures and tools to empower the local educators.
This research identifies the critical need for a standardized framework to establish and maintain compliance of security and privacy in healthcare organizations. In response to this need, this research proposes the design and development of a novel standardized framework for establishing and maintaining security and privacy compliance in information systems for health care organizations and clinical practices.
IT Security Auditing helps students understand security from management and policy perspective rather than from technological perspectives. In this paper, we brainstorm the common body of knowledge on IT Security Auditing after elaborating its importance in IA. We also share our course design and implementation from our teaching this course for the last five years to our undergraduate and graduate students in the Cybersecurity degree programs. We want to emphasize that IT Security Auditing course should be different from computer forensic courses. Lastly, we will discuss our continuing project on self-learning and self-auditing tool that is being used by our students.
The same vulnerabilities continue to appear in code, over and over again, yet many educational institutions continue to teach programming as they always have. Some high-tech companies have found it necessary to establish ongoing security training for their developers to make up for the absence of college-level, secure coding curriculum. Recently, the thread model, which integrates security concepts into existing computing curricula, has been recognized as effective to transform education in secure software, while not impacting resource-limited institutions with a complete curriculum change.
We all know that it is necessary for educators to provide their security students hands-on experiences. Without these experiences students are not going to be prepared for the world of work, where employers expect the graduates to hit the ground running. To address this issue many different approaches have been used, such as traditional labs, virtual labs, and simulated web labs. Similar to other institutions, we have used all these approaches with high levels of success. However, because our students are expected to have real-world experience, our college has moved most, if not all, of the final semester hands-on labs to real-world, live Internet labs. This paper describes our decision processes for converting our labs to this real-world approach and our experiences in that environment.
While the necessity of ensuring that secure coding practices are universally taught and adopted is becoming increasingly apparent, there is still debate over whether we are making significant progress in this area. This paper recalls the accomplishments of the first Secure Coding Workshop in 2008 and discusses some of the outcomes, challenges, and findings from that workshop. It then discusses the 2011 Summit on Secure Education, which explored some of the issues raised at the Secure Coding Workshop. It also discusses some of the follow-on activities that the workshop helped to inspire or promote, and some remaining objectives that are still presenting challenges in the ongoing pursuit of secure coding.
Moodle eLearning System is well known as a free web application e-learning platform used in many schools as a way to allow on-line student interaction. Institutions use Moodle for its flexibility, adaptability and ease of use. Moodle has an installation base of tens of thousands of institutions with millions of student users. Our institution uses Moodle for admission of timed on-line quizzes taken outside the classroom as well as a vehicle for students to submit homework assignments. This paper outlines well-known vulnerabilities for Moodle v. 1.9 and attempts to exploit these vulnerabilities as well as identify new vulnerabilities in Moodle v. 2.1.
Cyber security competitions are becoming more common and more complex, and faculty interested in hosting a small scale event may be intimidated into thinking that they necessarily require significant investments of time and resources. In this paper, we describe how we a single faculty member has been able to run a number of small scale competitions in a variety of formats, ranging from class and club level up to competitions with five different participating schools.
Teaching secure programming should not be separate from teaching programming. By teaching high school students to code responsibly we foster a security mindset and establish a foundation of secure programming skills. High school computing teachers need ready-to-use resources that allow them to incorporate security principles in their programming classes. Additionally, it would be helpful to provide a seamless laboratory environment in which to run them. This paper discusses the Security Injections @ Towson project running in the RAVE environment which has proven success in the two- and four- year environment and could easily be adapted for the high school classroom.
Network Security is a complicated course to teach requiring extensive hands-on experience to fully develop the students knowledge base. To help facilitate comprehensive lab exercises, NYU-Poly developed VITAL – a Xen-based, remotely accessible, open source virtualization platform designed around the classroom environment.
The need to use a practice and application oriented approach in information security education is paramount. A security education curriculum that does not give the students the opportunity to experiment in practice with security techniques cannot prepare them to be able to protect efficiently the confidentiality, integrity, and availability of computer systems and assets. In this paper, first we discuss security issues with stateless basic packet filtering, and the concepts of stateful TCP, UDP and ICMP packet filtering. Then, we describe a comprehensive hands-on lab exercise implementation about how to identify whether a given firewall performs stateless or stateful packet filtering.
HIPAA is an example of full-featured security regulation that is also concerned with privacy. Exposing students to this real-world regulation helps students to realize that the security that they are learning is actually required by law. It also provides them useful knowledge for when they interview, and enter the workforce. The Health First Case Study enables students to work with a hypothetical Doctor’s office, which must adhere to HIPAA. Through the case study exercises, students continually refer to the HIPAA regulation, to ensure that they are in compliance.
Information security programs teach dangerous skills to their students. Despite our best efforts as instructors and mentors, some students will use these skills in inappropriate, and sometimes illegal, ways. As a result, students jeopardize their careers, hurt others, and put their institution’s entire information security program at risk. In this article, we present results from interviews with information security instructors from academic and government information security education programs. This article includes analysis of real-world incidents where students crossed the line in using their skills, and suggests best practices for deterring student misbehavior as well as techniques for mitigating damage and maximizing learning when an incident does occur.
Copyright © 2024 CISSE™. All rights reserved.