Archives

Papers

This paper describes a practical case study used in a unit of study relating to security of computer facilities. The case study has been designed to draw together the theory presented in a number of security units previously completed by the students. The paper discusses the importance of experience in learning and describes the case study content and action requirements. This case study is currently being used within the School of Computer & Information Science within Edith Cowan University for security degrees.

In May 1998, the INFOSEC community became aware of the White Paper titled "The Clinton Administration’s Policy on Critical Infrastructure Protection: Presidential Decision Directive 63 (PDD-63). Shortly after this date, the National Security Agency (NSA) using its technology transfer charter, took a proactive stance to the PDD-63 by offering an INFOSEC Assessment Methodology (IAM) course to government and private sector security professionals. The intent of the course is to make available a qualitative (not quantitative) approach for carrying out a high-level policy/documentation review that is non-intrusive, uses non-attribution (the process is not an inspection or an audit), yet produces an analysis of an organization’s overall security posture.

Because all vulnerabilities of a network cannot be realized and penetration of the system cannot always be prevented, Intrusion Detection Systems (IDS s) have become necessary to ensure the security of a network. A great deal of research has been conducted on intrusion detection in a wired environment; however, new issues arise when trying to implement an IDS in a mobile, ad hoc environment. This paper discusses considerations when designing an IDS for a mobile, ad hoc network and describes an architectural model for IDS s that takes into account these and other pre-existing considerations.

Networks have become indispensable for conducting business in government, commercial, and academic organizations. Networked systems allow you to access needed information rapidly, improve communications while reducing their cost, collaborate with partners, provide better customer services, and conduct electronic commerce. While computer networks revolutionize the way you do business, the risks they introduce can be fatal to a business. Attacks on networks can lead to lost money, time, products, reputation, sensitive information, and even lives.

This paper extends the current concepts of integrating information security topics within existing academic programs to actually establishing a new academic discipline for Information Assurance (IA). It explores the business drivers for such a program and the core body of knowledge required to establish a viable program of academic study in IA. Students of tomorrow should have the opportunity to pursue an IA degree at both undergraduate and graduate levels.

This paper looks at the concept of cyberwarfare and discusses its application in both defense and business environments. An approach to teaching offensive and defensive skills in this area is presented. The warfare tactics of the ancient Mongols are described and used as a trigger for formulating tactics for more modern warfare in cyberspace. Action learning is an important facet of such a learning environment as students need to experience application of the theory in order to produce proficiency in using the required tools.

There is a worldwide shortage of information security specialists. Increased professional training through academic institutions is needed to help fill this demand. In this paper we describe our extensive experience in information security/assurance education over the past twelve years highlighting some of the lessons that we have learned. We describe our current flexible information security education program and discuss future developments in this program.

The author has reviewed the MBA online course descriptions for core and elective MIS courses at institutions with Centers of Academic Excellence in Information Assurance Education. The review shows that core MIS course descriptions have no reference to Information Assurance or information security. Few elective MIS courses mention such education. The paper makes recommendations for improving this situation.

Information Security college-level education efforts received a financial shot in the arm late last year with the announcement of a federal funding program to train an information security workforce. In this paper, we address issues surrounding development of a viable Computer Science, Information Security curriculum that meets the varying needs of the federal government, industry, and academia. The foundation of our program is research and education on information security and the underlying enabling technologies such as cryptography.

The Georgia Institute of Technology has recognized the importance of information security education and research by creating an interdisciplinary center called the Georgia Tech Informa- tion Security Center (GTISC). The educational goals of GTISC include the development of an information security curriculum that would serve students from a broad range of backgrounds. It takes an integrated approach to information security education that covers both technological and policy issues. A group of eight faculty from Georgia Tech has worked to create an innovative and broad curriculum that could be used to train future information security professional.

Many information technologists and others are interested in learning about information security. Some people want to teach themselves about the field; others are willing to take courses from academic centers. This paper reviews a range of options for anyone seeking knowledge of INFOSEC. The format uses questions similar to those that practitioners may receive from correspondents. Topics include helpful books for beginners, courses (live, computer-based and Web-based), videos, associations, conferences, certificate programs and academic programs. The author hopes that the questions, answers and appendices containing specific recommendations and sources will be helpful to all INFOSEC educators.

How do you provide security training and education to people who cannot travel, are "on the go" or physically distributed? Traditional classrooms and audio/video methods are impractical or fall short of a high-quality educational experience. Have you ever received a bunch of talking-head PowerPoint charts? It’s not education! There is an effective method to train information security professionals or end users, using only a web browser. This paper discusses how we created Information Security University (InfosecU), what it does, how it does it, and how it can be used to educate both end users and professionals.

The growth and availability of the Internet created serious vulnerabilities in connected systems. In response to this, the Federal Government has created several programs. Significant among those is the National Security Telecommunications and Information Systems Security Policy and the implementing directives that specify training standards for various professional positions related to telecommunications and information systems security. In response to the directives of the National Security Telecommunications and Information Systems Security Committee (NSTISSC) and to the results of independent research, the faculty of the College of Information Science and Technology at the University of Nebraska at Omaha decided to implement a concentration in Information Assurance as an option in the Master of Science in Management Information Systems Program.

We propose a new method to enforce the fault-tolerant and recovery capabilities of critical network services in a distributed computing environment. With our approach a service can be dynamically dispatched onto any available host, and at any time, each service is not only viable but also consumes the normal amount of resources without duplication. In the events or indications of system failures, services would reestablish themselves onto other hosts via a non-preemptive remote execution process. The basic simulation is to have a vital service reside on a primary host, with a secondary host designated as standing by. The primary host performs the service until the occurrence or indication of fatal faults in the system. Then, the secondary host resumes the service and becomes the primary host, with yet another host being designated as the new secondary host for that service.

Too many students are graduating from colleges and universities without taking a single course in information assurance. The need for students to receive more and better education in information assurance is undisputed. For those educational institutions already requiring and/or teaching such courses, the educational experience can be greatly enhanced with a supportive laboratory environment where carefully chosen hands-on tutorials or exercises can be assigned to support the material being presented in the classroom. This paper describes the experiences of supporting information assurance exercises and tutorials at the Naval Postgraduate School. Recommendations are provided so that others may learn from the experience.

The US Military Academy at West Point issued a challenge to the five United States service academies to participate in an inter-academy Cyber Defense Exercise (CDE). This exercise was initiated and implemented by faculty and cadets assigned to the US Military Academy, West Point, with funding and direction provided by the National Security Agency. The concept of defending the network was derived to evaluate cadet skills and the effectiveness of the Information Assurance (IA) education invoked at West Point. The Cyber Defense Exercise served as the final project for senior-level Computer Science majors enrolled in the Information Assurance (IA) course. The IA - Service Academy Group for Education Superiority (IA-SAGES), a group formed to plan, develop and share IA curriculum, proposed that all US service academies teaching an IA course participate in the exercise. The US Air Force Academy and US Military Academy accepted the challenge to compete in 2001.

This paper suggests that the instruction of computer security in the university environment should begin with a through examination of the 1970 Report of the Defense Science Board Task Force on Computer Security, "Security Controls for Computer Systems". Dr. Willis Ware was the chair of this task force in 1970. While the report itself is dated and the architectures discussed no longer exist, the problem identification contained in the report and the technical issues examined remain valid today - some 30 years after the report was released. Students having read this report prior to beginning a semester course appear better prepared to then understand and follow on with formal instruction in models, multilevel security, trusted operating systems, and the need for a holistic approach to the security problem. Teaching Saltzer and Schroeder’s principles is made far easier as is the need for trusted development environments, strong process control, policy enforcement, and accountability.

 
 
Powered by Phoca Download